China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
A China-linked network of compromised routers and smart devices has grown into one of the most capable reconnaissance tools tied to a nation-state threat group. Researchers have identified a major resurgence of a botnet known as JDY, which now controls more than 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices […] The post China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
By Tushar Subhra Dutta
June 11, 2026
A China-linked network of compromised routers and smart devices has grown into one of the most capable reconnaissance tools tied to a nation-state threat group.
Researchers have identified a major resurgence of a botnet known as JDY, which now controls more than 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices spread across the United States, Europe, and Asia.
The botnet is designed not to attack targets directly, but to scan the internet for vulnerable systems and pass that intelligence to hacker groups tied to China.
The JDY botnet traces its origins to late 2023, when it was first uncovered as part of a larger operation called KV-botnet, a covert network used by China-backed groups, most notably Volt Typhoon, to spy on U.S. critical infrastructure.
At its lowest point in January 2024, JDY had around 650 active bots. Since then, it has more than doubled in size, quietly rebuilding after U.S. government efforts dismantled its companion network, the KV cluster.
Analysts from Lumen’s Black Lotus Labs tracked the botnet’s evolution and found it had not only grown but also become more dangerous.
According to a report shared with Cyber Security News (CSN), Lumen said the JDY botnet now targets a far wider range of devices from manufacturers including Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks.
What makes JDY particularly alarming is the speed at which it acts on new intelligence. When a vulnerability is publicly disclosed, operators shift scanning almost immediately.
Researchers observed a spike in scans targeting Fortinet devices within hours of the disclosure of CVE-2026-35616, showing that the botnet helps threat actors find vulnerable systems before defenders apply patches.
The botnet’s primary victims are overwhelmingly U.S.-based, and scanning is focused on networks associated with U.S. military entities.
Since infected devices are ordinary home and small business routers, their traffic blends in with normal internet activity, making detection harder for traditional security tools.
China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices
The JDY botnet works through a tightly organized system that keeps operators hidden while bots stay active.
Infected devices receive scanning tasks from a command-and-control server communicating via hidden Tor nodes, making it nearly impossible to trace back to operators.
Bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server.
The malware runs on Linux-based systems built for MIPS and MIPSEL processor architectures, the types most common in home routers and edge network devices.
A lightweight bash dropper handles infection: it detects the device’s processor type, downloads the matching payload, executes it, and deletes the file from disk.
Some devices are also managed through Platypus, an open-source remote shell tool, with the payload server at 149.248.3[.]38 hosting a Platypus instance on port 13339.
By spreading scanning across thousands of devices with different IP addresses, the botnet easily sidesteps traditional defenses like blocklists and geofencing.
Network overview of JDY botnet (Source – Lumen)
Each device carries only a small share of the scanning load, so no single IP triggers enough alarms to get blocked. The network overview showing how JDY distributes scanning across residential and small enterprise IP space.
Defending Against Covert Scanning Networks
Black Lotus Labs researchers emphasize that disrupting parts of a botnet is not enough. When the KV cluster was taken down, JDY kept operating and expanded.
The capability adapts, rebuilds, and keeps feeding intelligence to threat actors, often within hours of a new vulnerability becoming public.
Security teams are advised to implement guidance from CISA and the UK National Cyber Security Centre for mitigating Volt Typhoon activity and defending against China-linked covert networks.
Organizations should also consider adopting Secure Access Service Edge solutions to shrink their internet-facing exposure. For routers, firewalls, and IoT devices, the steps are clear: reboot regularly, apply patches quickly, and stay current with updates.
Relying on IP reputation checks or static blocklists alone is no longer enough when an adversary controls thousands of legitimate-looking addresses.
Indicators of Compromise (IoCs):-
Type Indicator Description
IP Address 149.248.3[.]38 JDY botnet payload server hosting Platypus remote shell on port 13339
Port 13339 Default port used by Platypus server to download agents (Termite clients) to target endpoints
AES Key 0000000000000000bdb718bdf47cbcde Hardcoded AES decryption key used by JDY malware to decrypt C2 tasking responses
Malware Version 1.8.3.9 Hardcoded version string found in analyzed JDY malware samples
Process Name auditdy Variable process name used by JDY dropper to check for existing infections
File Path /etc/ or /tmp/ Directories where JDY payload is written before execution and then deleted
Architecture mips, mips64, mipsel, mipsel64 Target processor architectures for JDY malware payloads
CVE CVE-2026-35616 Fortinet vulnerability exploited within hours of public disclosure by JDY operators
Network Path /dispatch_service/v2/probe_status C2 endpoint used for initial check-in beacon via HTTPS POST
Network Path /data/v2/pscan C2 endpoint used to deliver compressed scan results with filename attr.json
ICMP Identifier 19037 Hardcoded ICMP packet identifier used in UDP/ICMP scanning for port 80 targets
Source Port 19000 Fixed source port used in high-speed SYN scanning mode
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands
Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware
Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now!
Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers
Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time
Latest News
Cyber Security News
Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks
Cyber Security
Anthropic’s Claude Fable 5 Jailbroken to Generate Stack Exploits
Cyber Security News
Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency
Cyber Security News
Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems
Cyber Security News
ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables