Ethical Hacking News
The JDY botnet is a sophisticated reconnaissance network tied to Chinese state-sponsored hacking groups including Volt Typhoon. The botnet comprises over 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices, operating as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale. The malware affects a wider array of devices, feeding structured reconnaissance data into a larger scanning ecosystem for subsequent triage, target identification, and exploitation. The botnet's resurgence post-takedown poses significant concerns for military networks and organizations worldwide.
The JDY botnet is a sophisticated reconnaissance network tied to Chinese state-sponsored hacking groups. The botnet comprises over 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices. The malware affects a wider array of devices, feeding structured reconnaissance data into a larger scanning ecosystem. The device list has diversified significantly, making it harder for defenses to block. The botnet operators use hidden Tor services to connect to infected devices and evade IP-based controls. The malware identifies its host, scans networks, and collects detailed rules for spotting specific services. The findings are then packaged into encrypted data and sent back to attackers, allowing them to evade defenses. The botnet's resurgence poses significant concerns for military networks and organizations worldwide.
The cybersecurity landscape has witnessed an evolution in the tactics employed by adversaries, particularly those backed by nation-states. One such entity that has garnered attention is the JDY botnet, a sophisticated reconnaissance network tied to Chinese state-sponsored hacking groups including Volt Typhoon. The botnet's resurgence post-takedown of its precursor, KV-botnet, poses significant concerns for military networks and organizations worldwide.
According to recent reports, the JDY botnet comprises over 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices, operating as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale. The malware affects a wider array of devices, feeding structured reconnaissance data into a larger scanning ecosystem for subsequent triage, target identification, and exploitation.
The device list has diversified significantly, with the botnet now pulling in hardware from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys, among others. This expanded scope enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists. By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked.
The architecture behind JDY is layered and careful, with operators connecting to infected devices through hidden Tor services that hide both the command-and-control servers and the payload servers. The C2 (command-and-control) tells infected devices what to scan; results flow back to central servers for aggregation. Nothing stays on disk longer than necessary, as the dropper downloads the payload, launches it, then deletes the binary.
The malware itself identifies its host, checks in to the dispatch service via HTTPS with a structured JSON packet describing the system's OS, architecture, uptime, memory, and malware version, then waits for scanning tasks. The scanning engine adapts to what privileges it has. With root access and a raw socket, it fires SYN packets using custom-crafted TCP packets, scanning thousands of targets per batch without completing a handshake, which means no application-level logging on the target. Without raw socket access, it falls back to standard TCP and TLS connections and collects richer data: banners, SSL/TLS versions, certificate metadata, redirect paths, HTTP responses.
The malware doesn't just scan networks in a basic way; when it receives a command from its control server, it downloads detailed rules for spotting specific services, including how they behave, what ports they use, and what their responses look like. Each infected router is essentially turned into a smart scanner that can recognize and confirm real services, not just open ports.
The findings are then packaged into encrypted data and sent back to the attackers, including details such as IP addresses, ports, protocols, TLS info, certificates, and web redirects. What JDY does with its results makes the intent clear: the botnet's large number of U.S.-based SOHO and IoT devices enables the botnet operators to evade defenses and traditional IP-based controls.
The takedown of the KV-botnet in 2024 did not eliminate the reconnaissance capability; it forced an adaptation. "JDY's evolution from a supporting component of the KVābotnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability," concludes the report.
The botnet's resurgence post-takedown poses significant concerns for military networks and organizations worldwide. The JDY malware focuses on infrastructure reconnaissance rather than exploiting targets, which likely supports follow-on asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems.
Related Information:
https://www.ethicalhackingnews.com/articles/The-JDY-Botnet-A-Sophisticated-Reconnaissance-Network-Targeting-Military-Networks-ehn.shtml
https://securityaffairs.com/193490/malware/jdy-botnet-evolves-after-kv-takedown-targets-military-networks.html
Published: Thu Jun 11 03:50:25 2026 by llama3.2 3B Q4_K_M
