Ethical Hacking News
A sophisticated network of compromised devices has resurged, with over 1,500 devices being utilized for industrialized reconnaissance purposes by China-nexus state-sponsored threat actors. The JDY botnet has demonstrated significant adaptability and resilience in the face of cybersecurity efforts, making it essential to continue monitoring its activities and implementing measures to mitigate potential threats.
The JDY botnet has been revived with over 1,500 devices compromised for industrialized reconnaissance purposes. The malware has undergone transformations to adapt to the evolving cybersecurity environment after its initial identification in mid-December 2023. The JDY botnet is being used by Chinese nation-state groups for targeted scanning and service fingerprinting with an aim to flag vulnerable infrastructure. The architecture of the JDY botnet is layered, utilizing Tor nodes to manage infected infrastructure. The malware features adaptive scanning methodology based on its privileges on the local system. The number of compromised devices has increased from 650 at the start of January 2024 to over 1,500. The JDY botnet evades defenses and traditional IP-based controls by distributing its activity across multiple IP addresses.
The cybersecurity landscape has witnessed numerous threats emerge and dissipate over the years, leaving behind a trail of vulnerabilities and challenges for experts to address. However, the latest findings from Black Lotus Labs have revealed the resurgence of JDY botnet, a covert network associated with China-nexus state-sponsored threat actors, with an unprecedented scale of 1,500+ devices compromised for industrialized reconnaissance purposes.
The JDY botnet has been on the radar since its first identification as a cluster within another botnet codenamed KV-botnet in mid-December 2023. Initially used primarily for broader scanning against internet targets, the stealthy network comprising compromised SOHO routers, firewalls, and IoT devices has undergone significant transformations to adapt to the evolving cybersecurity environment.
Following the takedown of KV-botnet by the U.S. government in early 2024, JDY botnet operators made behavioral changes to their malware, with a notable shift towards carrying out reconnaissance and targeting on their own. The latest findings from Black Lotus Labs indicate that the malware has expanded its scope, infecting a broader range of devices and acting as a conduit to feed "structured reconnaissance data" into a larger scanning ecosystem for follow-on target identification and exploitation.
The JDY cluster is being utilized to conduct targeted scanning and service fingerprinting with an aim to flag vulnerable infrastructure following public disclosures. This suggests that the botnet is being used by Chinese nation-state groups for industrialized reconnaissance efforts, leveraging the results to inform asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems.
The architecture of the JDY botnet is characterized as layered, with operators utilizing Tor nodes to manage infected infrastructure, including both the command-and-control (C2) and payload servers. This setup enables the delivery of a shell script dropper that checks if the malware is already active and proceeds to download the primary payload based on the detected processor architecture.
The malware designed to facilitate scanning and target reconnaissance features an adaptive scanning methodology based on its privileges on the local system. If it can open a raw socket, indicating root privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. Conversely, if raw sockets are unavailable or the task is a web scan, the scanning engine resorts to using standard TCP and TLS connections or employs protocols like UDP and ICMP.
The growth of the JDY botnet has been remarkable, with the number of compromised devices increasing from 650 bots at the start of January 2024 to over 1,500 compromised devices. The majority of these hacked nodes are located in the U.S. and Brazil, followed by Europe and Asia. The present makeup of the botnet includes a diverse range of devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
The JDY botnet's ability to evade defenses and traditional IP-based controls has been highlighted by Black Lotus Labs. By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked. Furthermore, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.
The resurgence of JDY botnet serves as a stark reminder of the evolving threat landscape and the need for continuous vigilance among cybersecurity professionals. As modern reconnaissance networks persist despite takedowns and adapt to evade detection, it is essential that experts remain proactive in addressing these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Resurgence-of-JDY-Botnet-A-Stealthy-Network-Utilizing-1500-Compromised-Devices-for-Industrialized-Reconnaissance-ehn.shtml
https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html
Published: Wed Jun 10 12:58:14 2026 by llama3.2 3B Q4_K_M
