Cybersecurity researchers have warned of the “resurgence and proliferation” of JDYa secret network associated with Chinese government-sponsored terror actors.
“The JDY botnet includes over 1,500 SOHO [small office and home office] and IoT devices and serves as a centralized, high-performance scanner used for discovery, fingerprinting, and continuous mapping of exposed services at scale,” Lumen’s Black Lotus Labs said in a report shared with Hacker News.
JDY was first identified as a cluster among another botnet codenamed KV-botnet in mid-December 2023. It is mainly used for extensive scanning against Internet targets, a private network including vulnerable SOHO routers, firewalls, and IoT devices used by Chinese hacking groups such as Volt Typhoon.
After the takedown of the KV-botnet by the US government in early 2024, botnet operators began to make behavioral changes to the network, and the second cluster of KV was offline. It is suspected that the botnet is provided by operators of various hacking outfits, while conducting investigations and conducting investigations on their own.
The latest findings from Black Lotus Labs show that the malware has expanded in scope to infect a wider range of devices and act as a conduit to feed “edited test data” to a larger scanning system for targeted detection and exploitation.
In particular, the JDY cluster is used to perform targeted scanning and service fingerprinting for the purpose of flagging vulnerable infrastructure after public disclosure. This points to an advanced espionage effort, the results of which benefit the ethnic groups of the Chinese empire.
This coincided with an increase in the size of the botnet, which increased from 650 bots in early January 2024 to more than 1,500 vulnerable devices. Most of the hacked nodes are located in the US and Brazil, followed by Europe and Asia.
Where previously the cluster featured mainly Cisco RV320 and RV325 routers, the botnet’s current makeup is quite different, including devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
“The botnet’s large number of US-based SOHO/IoT devices enables botnet operators to circumvent traditional IP-based defenses and controls, such as geofencing, IP reputation-based discovery, and static blocklists,” Black Lotus Labs said.
“By spreading their scanning and rescanning work across multiple IP addresses, operators make it less likely that any one IP will be called a scanner and blocked. Additionally, using vulnerable SOHO and IoT devices helps this work to match legitimate user traffic.”
The architecture that powers the botnet is best described as layers: operators use Tor nodes to manage the infected infrastructure, including both command and control (C2) and payload servers. C2 servers direct bots to perform targeted investigations and system profiling, instead of random scans. The results of the scans are sent to central servers for ongoing intelligence gathering in an effort to further the objectives of Chinese threat actors.
Attack chains leverage newly disclosed vulnerabilities in edge devices (eg, CVE-2026-35616) to deliver a dropper shell script that checks if the malware is already running, and if not, continues to download the main payload based on the detected processor architecture (eg, mips, mipslpse64, mipslpse, or mipslpse64). Once the malware is launched, it is removed from the disk.
The scan-and-redirect malware is designed to capture fingerprints on the host, receive scan operations from the central C2 server, perform high-volume TCP, SSL, UDP, and ICMP-assisted checks, capture responses (TLS certificates, metadata, etc.), and report the results back to the sending server. The aim is to conduct infrastructure investigations instead of exploits.
A notable feature of the malware is its ability to change the scanning method based on its privileges on the local system. If it can open a green socket, an indicator of root privileges, it starts a high-speed SYN scan using custom-designed TCP packets. If raw sockets are not available or if the task is a web scan, the scan engine chooses to use standard TCP and TLS connections or uses basic protocols such as UDP and ICMP.
The work likely informs asset discovery, vulnerability targeting pipelines, and downstream exploits or attack systems, the cybersecurity firm said.
“JDY demonstrates how IoT/SOHO botnets and private networks of compromised devices can be used to rapidly exploit vulnerabilities,” the company said. “The continued growth and performance of JDY demonstrates how today’s intelligence networks persist despite degradation and adapt as a long-lasting capability within the broader adversary ecosystem.”
“The evolution of JDY from a supporting part of the KV-botnet to an autonomous, high-performance surveillance force shows that the interference of individual nodes or clusters does not eliminate the underlying power. The ability is continuous, synchronized, and continues to provide adversaries with timely identification data, often within hours of the vulnerability being exposed.”
