CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

A China-linked network of compromised routers and smart devices has grown into one of the most capable reconnaissance tools tied to a nation-state threat group. Researchers have identified a major resurgence of a botnet known as JDY, which now controls more than 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices […] The post China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation By Tushar Subhra Dutta June 11, 2026 A China-linked network of compromised routers and smart devices has grown into one of the most capable reconnaissance tools tied to a nation-state threat group. Researchers have identified a major resurgence of a botnet known as JDY, which now controls more than 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices spread across the United States, Europe, and Asia. The botnet is designed not to attack targets directly, but to scan the internet for vulnerable systems and pass that intelligence to hacker groups tied to China. The JDY botnet traces its origins to late 2023, when it was first uncovered as part of a larger operation called KV-botnet, a covert network used by China-backed groups, most notably Volt Typhoon, to spy on U.S. critical infrastructure. At its lowest point in January 2024, JDY had around 650 active bots. Since then, it has more than doubled in size, quietly rebuilding after U.S. government efforts dismantled its companion network, the KV cluster. Analysts from Lumen’s Black Lotus Labs tracked the botnet’s evolution and found it had not only grown but also become more dangerous. According to a report shared with Cyber Security News (CSN), Lumen said the JDY botnet now targets a far wider range of devices from manufacturers including Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks. What makes JDY particularly alarming is the speed at which it acts on new intelligence. When a vulnerability is publicly disclosed, operators shift scanning almost immediately. Researchers observed a spike in scans targeting Fortinet devices within hours of the disclosure of CVE-2026-35616, showing that the botnet helps threat actors find vulnerable systems before defenders apply patches. The botnet’s primary victims are overwhelmingly U.S.-based, and scanning is focused on networks associated with U.S. military entities. Since infected devices are ordinary home and small business routers, their traffic blends in with normal internet activity, making detection harder for traditional security tools. China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices The JDY botnet works through a tightly organized system that keeps operators hidden while bots stay active. Infected devices receive scanning tasks from a command-and-control server communicating via hidden Tor nodes, making it nearly impossible to trace back to operators. Bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server. The malware runs on Linux-based systems built for MIPS and MIPSEL processor architectures, the types most common in home routers and edge network devices. A lightweight bash dropper handles infection: it detects the device’s processor type, downloads the matching payload, executes it, and deletes the file from disk. Some devices are also managed through Platypus, an open-source remote shell tool, with the payload server at 149.248.3[.]38 hosting a Platypus instance on port 13339. By spreading scanning across thousands of devices with different IP addresses, the botnet easily sidesteps traditional defenses like blocklists and geofencing. Network overview of JDY botnet (Source – Lumen) Each device carries only a small share of the scanning load, so no single IP triggers enough alarms to get blocked. The network overview showing how JDY distributes scanning across residential and small enterprise IP space. Defending Against Covert Scanning Networks Black Lotus Labs researchers emphasize that disrupting parts of a botnet is not enough. When the KV cluster was taken down, JDY kept operating and expanded. The capability adapts, rebuilds, and keeps feeding intelligence to threat actors, often within hours of a new vulnerability becoming public. Security teams are advised to implement guidance from CISA and the UK National Cyber Security Centre for mitigating Volt Typhoon activity and defending against China-linked covert networks. Organizations should also consider adopting Secure Access Service Edge solutions to shrink their internet-facing exposure. For routers, firewalls, and IoT devices, the steps are clear: reboot regularly, apply patches quickly, and stay current with updates. Relying on IP reputation checks or static blocklists alone is no longer enough when an adversary controls thousands of legitimate-looking addresses. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 149.248.3[.]38 JDY botnet payload server hosting Platypus remote shell on port 13339 Port 13339 Default port used by Platypus server to download agents (Termite clients) to target endpoints AES Key 0000000000000000bdb718bdf47cbcde Hardcoded AES decryption key used by JDY malware to decrypt C2 tasking responses Malware Version 1.8.3.9 Hardcoded version string found in analyzed JDY malware samples Process Name auditdy Variable process name used by JDY dropper to check for existing infections File Path /etc/ or /tmp/ Directories where JDY payload is written before execution and then deleted Architecture mips, mips64, mipsel, mipsel64 Target processor architectures for JDY malware payloads CVE CVE-2026-35616 Fortinet vulnerability exploited within hours of public disclosure by JDY operators Network Path /dispatch_service/v2/probe_status C2 endpoint used for initial check-in beacon via HTTPS POST Network Path /data/v2/pscan C2 endpoint used to deliver compressed scan results with filename attr.json ICMP Identifier 19037 Hardcoded ICMP packet identifier used in UDP/ICMP scanning for port 80 targets Source Port 19000 Fixed source port used in high-speed SYN scanning mode Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now! Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time  Latest News Cyber Security News Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks Cyber Security Anthropic’s Claude Fable 5 Jailbroken to Generate Stack Exploits Cyber Security News Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency Cyber Security News Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems Cyber Security News ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗