JDY Botnet Expands Reconnaissance Operations Targeting U.S. Infrastructure
The JDY botnet has scaled its operations to over 1,500 compromised small office/home office (SOHO) and internet-of-things (IoT) devices, shifting its focus toward reconnaissance against U.S. military and critical infrastructure. According to research from Black Lotus Labs, the network—previously linked to China-nexus threat actors like Volt Typhoon—now functions as a distributed scanning framework designed to identify and fingerprint vulnerabilities for rapid exploitation.
What is the JDY botnet?
JDY operates as a specialized reconnaissance tool rather than a traditional malware swarm. Instead of launching distributed denial-of-service (DDoS) attacks, the botnet performs service discovery, TLS certificate harvesting, and protocol fingerprinting. By maintaining a network of compromised edge devices, operators can scan for newly disclosed vulnerabilities across the internet with high speed. Black Lotus Labs reports that the botnet tracks MIPS and ARM-based architectures, impacting hardware from vendors including Cisco, Ubiquiti, DrayTek, and Hikvision.
How does JDY exploit vulnerabilities?
The botnet is engineered to operationalize intelligence shortly after vulnerability disclosures. Researchers observed the network targeting CVE-2026-35616, a critical flaw in Fortinet’s FortiClient EMS, almost immediately after public reporting. The botnet uses a centralized “Dispatch Service” to assign scanning tasks to compromised nodes. When these nodes possess administrative or root privileges, they execute stealthy, high-speed SYN scans using custom-crafted TCP packets with a fixed source port of 19000.
Comparison of Reconnaissance Tactics
| Feature | Traditional Botnet | JDY Reconnaissance Network |
|---|---|---|
| Primary Goal | DDoS or Payload Delivery | Scanning & Fingerprinting |
| Command & Control | Varies | Hidden Tor Services |
| Operational Speed | Massive Volume | Rapid Post-Disclosure Targeting |
Why the U.S. military is a priority
Black Lotus Labs identifies U.S. military and associated entities as primary targets for JDY’s reconnaissance output. This aligns with long-standing warnings from the Cybersecurity and Infrastructure Security Agency (CISA) regarding the activities of Volt Typhoon. CISA has repeatedly cautioned that state-sponsored actors prioritize the compromise of SOHO routers to gain a foothold in domestic networks, effectively using these devices as a proxy to mask malicious traffic and bypass traditional perimeter defenses.
How to secure edge devices
Network administrators should take immediate steps to reduce their external attack surface and prevent their hardware from being recruited into the JDY network. Security teams should:
- Patch promptly: Apply firmware updates for all routers, firewalls, and IoT devices to address known vulnerabilities.
- Restrict access: Disable internet-exposed administrative interfaces and limit remote management to trusted IP addresses.
- Audit credentials: Replace default usernames and passwords with unique, complex credentials.
- Monitor traffic: Watch for unusual outbound scanning activity or unexpected connections originating from edge hardware.
The evolution of JDY underscores a shift toward more surgical, intelligence-driven cyber operations. As threat actors continue to leverage the rapid discovery of flaws, the security of internet-facing edge devices remains a significant concern for national security and enterprise defense.