ProBackend
cyber threat intelligence
1 hour ago6 min read

JDY Botnet: How a Reconnaissance Network Became the Eyes of China’s Cyber Offense

The JDY botnet, linked to Chinese threat actors like Volt Typhoon, has grown significantly, mapping global SOHO/IoT devices to target U.S. military networks for state-sponsored reconnaissance.

JDY Botnet: How a Reconnaissance Network Became the Eyes of China’s Cyber Offense

I’ve seen a lot of botnets come and go. Most are dumb. Loud. DDoS factories. JDY? It’s quiet. Surgical. And terrifying.

It doesn’t crash your network. It doesn’t encrypt your files. It doesn’t even ask for ransom. It just… watches. And learns. And maps.

And now, after years of being quietly ignored as just another IoT botnet, JDY has evolved into something far more dangerous: the reconnaissance backbone of China’s most sophisticated cyber operations. This isn’t just another threat actor. This is the quiet hand that’s been drawing the target list for Volt Typhoon and others for the last two years.

I’ve been tracking this since early 2024, when the KV-botnet takedown made headlines. Everyone thought it was over. I thought it was over. But JDY? It didn’t die. It just changed its skin.

The Botnet That Outlived Its Own Takedown

Let me be clear: JDY isn’t some rogue script kiddie outfit. It’s a state-backed, precision tool. And it’s not even the most advanced malware in the Chinese arsenal. But it’s the one that’s still standing after the U.S. government took down its bigger cousin, KV-botnet.

In January 2024, JDY had around 650 compromised devices. Today? Over 1,500. And not just routers—this thing’s got Hikvision cameras, DrayTek firewalls, Linksys gateways, even Mimosa wireless bridges. The diversity is the point. It’s not about volume. It’s about cover.

Think about it: if you’re trying to scan U.S. military networks, you don’t want to come from a single IP address. You don’t want to come from a data center. You want to come from a thousand different homes in Texas, a hundred coffee shops in Florida, a dozen garages in Ohio. That’s JDY. It’s not a botnet. It’s a distributed sensor array.

And here’s what makes it scary: it doesn’t waste time. When Fortinet disclosed CVE-2026-35616, JDY was scanning for it within hours. Not days. Hours. That’s not luck. That’s integration. Someone in Beijing got the CVE alert, fed it into a pipeline, and JDY’s scanning rules updated automatically. That’s not malware. That’s an intelligence feed.

The Architecture of a Silent Hunter

JDY’s code is elegant. Brutally so.

The dropper? A bash script. No fancy obfuscation. Just enough to detect architecture—mips, mipsel, mips64—and drop the right binary. It checks if it’s already running, deletes itself after execution, and vanishes. No persistence. No registry keys. No traces. Just memory.

The payload? A scanning engine that doesn’t even need root. But if it gets root? That’s when it gets dangerous.

With root, JDY uses raw TCP sockets to perform SYN scanning. Fast. Silent. It crafts packets with a fixed source port—19000—and fires off thousands of probes in seconds. You won’t see this in your IDS logs because it’s not a scan. It’s a heartbeat. It’s just… checking.

It doesn’t exploit. It doesn’t pivot. It doesn’t exfiltrate. It just collects: banners, TLS certificates, open ports, service versions. It compresses it all and sends it back via Tor hidden services. The C2? Not a server. A whisper. A hidden .onion endpoint. No logs. No metadata. Just results.

And it’s not random. It’s targeted. The majority of compromised devices are in the U.S. And the targets? Military networks. Contractors. Research labs. The same ones CISA warned about last year.

Why This Isn’t Just Another IoT Problem

I get it. You’ve heard this before. “Oh, it’s just IoT devices.” Like it’s some dumb router you forgot to patch.

But JDY isn’t exploiting weak passwords. It’s exploiting neglect. It’s exploiting the fact that a university lab still has a DrayTek firewall from 2018 exposed to the internet. That it’s still running firmware that was end-of-life in 2021. That nobody’s auditing the edge.

And that’s the problem. We treat SOHO and IoT devices like they’re disposable. Like they’re not part of our network. But JDY doesn’t care. It sees them as access points. And with 1,500 of them, it’s got a global mesh of eyes.

The U.S. military doesn’t have 1,500 internet-exposed devices. But their contractors? Their vendors? Their suppliers? They do. And JDY is mapping them all.

The Real Threat: Reconnaissance as a Service

This isn’t about malware anymore. It’s about reconnaissance as a service.

JDY doesn’t need to breach a firewall. It just needs to know where the firewall is, what’s behind it, and what’s vulnerable. Then it hands that data off to someone else. Someone with a zero-day. Someone with a custom payload. Someone who doesn’t care about scanning—they care about the result.

This is how modern cyber warfare works. Not brute force. Not ransomware. Not even espionage. It’s preparation. And JDY is the most efficient prep tool we’ve seen.

Lumen’s Black Lotus Labs says it best: “JDY demonstrates how IoT/SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation.”

It’s not just “used.” It’s optimized. The botnet is a feedback loop. Scan. Report. Exploit. Repeat. And it’s getting faster.

What You Can Actually Do About It

Look. I’m not here to sell you a $200,000 SIEM. I’m here to tell you what works.

  1. Stop treating edge devices as disposable. If it’s connected to your network, it’s part of your attack surface. Even if it’s a Hikvision camera in the parking lot. Even if it’s a Linksys router in the break room.

  2. Disable all remote management interfaces. Seriously. If you don’t need to access it from the internet, turn it off. And if you do? Use a VPN. Not port forwarding. Not UPnP. A VPN.

  3. Replace default credentials. Every. Single. One. This isn’t 2012. We know how to do this. Automate it. Use a tool. Script it. Hire someone. But don’t ignore it.

  4. Monitor outbound scanning from your own network. If a device in your office starts hammering random IPs on port 80 or 443 with SYN packets? That’s not normal. That’s JDY. Alert on it. Block it. Investigate.

  5. Patch like your life depends on it. Because it does. JDY is faster than your patch cycle. If you’re not patching within 72 hours of a critical CVE, you’re already behind.

The Bigger Picture

We keep thinking in terms of breaches. In terms of data theft. In terms of ransomware.

But JDY shows us the future. The future isn’t about breaking in. It’s about knowing where to break in.

China isn’t trying to hack the Pentagon tomorrow. They’re mapping it. Right now. With 1,500 compromised routers. And they’re not even trying to hide it.

Because they don’t have to.

We’re the ones who left the door open.

And JDY? It’s just the first one to walk through.

JDY Botnet: How a Reconnaissance Network Became the Eyes of China’s Cyber Offense

Related blogs

cyber threat intelligence

RoguePlanet Zero-Day: Microsoft Defender Race Condition Grants SYSTEM Access

Nightmare Eclipse's RoguePlanet PoC weaponizes Microsoft Defender for SYSTEM-level privilege escalation on fully patched Windows 10 and 11.

6 hours ago · 3 mincyber threat intelligence

How a Client-Controlled Byte Broke Check Point’s VPN — And Why Qilin Ransomware Won

A critical authentication bypass in Check Point’s legacy IKEv1 implementation allowed Qilin ransomware affiliates to gain unauthenticated access — and it wasn’t a zero-day exploit, it was an ignored warning.

13 hours ago · 5 mincyber threat intelligence

Disguising Command-and-Control: How DragonForce Exploits Microsoft Teams Relays

An investigation into the techniques used by the DragonForce ransomware gang, specifically their utilization of a custom 'Backdoor.Turn' malware to tunnel malicious traffic through Microsoft Teams relay infrastructure. Includes verified attack chain details, BYOVD evasion techniques, and Backdoor.Turn capabilities from Symantec research.

6 days ago · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs