A China-linked JDY botnet has expanded its scanning and fingerprinting activity against the United States, growing from about 650 active bots in January 2024 to more than 1,500 compromised SOHO and IoT devices. Security researchers say the network rapidly turn
The morning security teams notice unusual outbound traffic, it rarely looks like an attack. It looks like noise—device behavior that might be explainable, until it isn’t.
Black Lotus Labs by Lumen says the JDY botnet is the kind of “noise” that builds into a clearer picture fast. The malware network. previously associated with China-nexus threat actors such as Volt Typhoon. maintains a strong focus on the United States. where many compromised devices sit and where JDY targets military and associated networks.
In January 2024, JDY was roughly 650 active bots. Today, it has more than 1,500 compromised SOHO and IoT devices under its control. While that number may sound modest, the researchers stress that JDY isn’t designed to smash targets with brute-force firepower. It functions as a distributed scanning and fingerprinting network—built to find infrastructure that may be vulnerable after new flaws are disclosed. then help operators confirm what’s exploitable.
“Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures. suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors. ” the Black Lotus Labs report says. “This targeted focus has been observed across a range of sectors, with the U.S. military and associated entities as the most prominent.”.
The operational shape of JDY is part of what makes it unsettling. Instead of waiting for an exploit campaign, it actively works to map targets. The malware is designed to conduct service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and flaw-focused reconnaissance.
Researchers describe compromised devices from a range of vendors, including Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys. The devices span MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures, a reminder that the botnet isn’t limited to one kind of network footprint.
That focus on newly disclosed vulnerabilities shows up in specific timing. Lumen researchers observed JDY scanning targeting CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw. The botnet’s attention doesn’t appear to drift; it snaps quickly toward what defenders have just been told to patch.
JDY operators run the campaign through hidden Tor services that also act as command-and-control (C2) infrastructure. In some cases, the open-source reverse-shell and host-management framework Platypus is used. Inside the botnet itself, each client registers with a central “Dispatch Service” and receives scanning assignments. It executes scans, compresses the results, and sends them back to the C2.
The scanning module supports TCP scanning, SSL/TLS scanning, UDP scanning, and ICMP probing, along with banner collection, TLS certificate harvesting, and service fingerprinting using downloadable rule sets. The client repeats the cycle until the operator explicitly orders it to stop.
Researchers also point to the TCP scanning approach as technically distinctive. When JDY has sufficient privileges, it performs faster and stealthier raw SYN scanning. If the malware can open a raw socket—typically requiring root or administrative privileges—it initiates high-speed SYN scanning using custom-crafted TCP packets. Those packets use a fixed source port of 19000. increment the destination ports one at a time. and batch-process thousands of scan targets.
Put together, the pattern is stark: JDY expands its reconnaissance footprint, targets U.S. military and associated networks, and begins mapping vulnerable infrastructure shortly after public vulnerability disclosures. The details are procedural—but the impact is strategic, because it turns patch announcements into actionable reconnaissance windows.
CISA has previously warned about the risk Volt Typhoon operatives pose to unprotected SOHO routers, urging network device vendors to eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases.
For organizations trying to limit what JDY can recruit. the advice is practical and immediate: ensure routers. firewalls. and IoT devices are running the latest security updates and patches; reduce external attack surface by disabling unnecessary internet-exposed administrative interfaces; restrict remote management access; replace default credentials; and monitor for unusual outbound scanning activity originating from edge devices.
JDY botnet Black Lotus Labs Lumen Volt Typhoon U.S. military networks SOHO routers IoT security reconnaissance scanning fingerprinting Tor C2 CVE-2026-35616 FortiClient EMS Platypus service discovery TLS certificate harvesting
So basically it’s scanning again? Love how that’s just “noise” until it isn’t.
My router is probably part of this like… I always wondered why my internet acts weird. They say it’s IoT and SOHO but isn’t everyone SOHO now??
Wait, they said it’s for vulnerable infrastructure after disclosures, right? So the hackers are using our patch notes to plan? That seems like a backdoor to me, like “thanks for the info.”
I don’t get how “botnet doubles scanners” is different from normal hacking. If they’re just fingerprinting then why are they targeting military networks—couldn’t they just do it to banks or whatever? Also 1500 devices sounds small, like that can’t really be “unsettling” unless each one is super powerful.