A botnet associated with the Chinese state has expanded to 1,500 compromised routers and is identifying susceptible targets within hours of their revelation.

      TL;DR The JDY botnet, associated with China, has expanded from 650 to over 1,500 compromised small office and home office devices. It quickly scans for newly revealed vulnerabilities and relays targeting information to state-sponsored hackers.

      A covert botnet linked to state-sponsored hackers in China has significantly increased in size, now capable of scanning for newly disclosed vulnerabilities within hours of their announcement. According to new findings from Lumen’s Black Lotus Labs, the JDY botnet consists of over 1,500 compromised small office and home office routers, firewalls, and IoT devices, predominantly located in the United States and Brazil.

      Initially identified in December 2023 as part of the KV-botnet operated by the Chinese hacking group Volt Typhoon, JDY managed to survive and evolve following the FBI's takedown of the KV-botnet in early 2024. It has now become an independent and highly effective reconnaissance tool.

      Rather than directly attacking targets, the botnet conducts large-scale scanning, fingerprinting, and mapping of exposed services, subsequently providing the findings to state-sponsored groups in China for further exploitation. Black Lotus Labs refers to this operation as an “industrialised reconnaissance effort,” where data is sent to central servers for continuous intelligence collection.

      The speed of its actions is remarkable; attack chains utilize newly uncovered vulnerabilities in edge devices to compromise routers and integrate them into the network. Once infected, the bots engage in high-volume probing using TCP, SSL, UDP, and ICMP, capturing TLS certificates and service metadata to relay back to dispatch servers. The main focus is on infrastructure mapping rather than direct exploitation.

      Since January 2024, the botnet has increased from 650 devices to over 1,500, and its targeted devices have diversified. Initially focusing on Cisco RV320 and RV325 routers, it now also infiltrates devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.

      This variety is intentional. By spreading scanning activity across a broad array of IP addresses, the operators mitigate the risk of any individual IP being flagged or blocked. Utilizing compromised SOHO and IoT devices helps disguise the malicious traffic as normal user activity, and US-based devices enable the operators to bypass geofencing and IP reputation controls.

      The architecture is structured in layers. Infected infrastructure is managed via Tor nodes, encompassing both command-and-control and payload servers. The malware adjusts its scanning techniques based on the privileges it has on the compromised devices. With root access, it employs high-speed SYN scanning using custom packets; without root, it defaults to standard TCP and TLS connections.

      Black Lotus Labs noted, “Disruption of individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.” Chinese state hacking efforts have historically focused on US infrastructure, and the JDY botnet demonstrates that the reconnaissance framework supporting these campaigns is becoming increasingly robust.

      For defenders, the implication is clear: prompt patching of edge devices is essential. Routers and IoT equipment that are past their end-of-life are particularly vulnerable. Traditional IP-based defenses prove ineffective when scanning traffic originates from thousands of seemingly legitimate residential IP addresses nationwide.