A botnet connected to the Chinese state has expanded to 1,500 compromised routers and is identifying vulnerable targets within hours of their announcement.
China-linked JDY botnet has expanded from 650 to over 1,500 hacked small office and home office devices. It identifies newly disclosed vulnerabilities within hours and sends targeting information to state-sponsored hackers. Research from Lumen’s Black Lotus Labs reveals that this covert botnet consists of more than 1,500 compromised routers, firewalls, and IoT devices, primarily located in the United States and Brazil.
JDY was initially detected in December 2023 as part of the KV-botnet, a network utilized by the Chinese hacking group Volt Typhoon. The FBI dismantled KV-botnet in early 2024, but JDY survived, adapted, and is now characterized by Black Lotus Labs as an independent, highly effective reconnaissance tool.
Rather than launching attacks directly, the botnet scans, fingerprints, and maps vulnerable services broadly, then relays the findings to Chinese state-sponsored groups for further exploitation. Black Lotus Labs describes it as an “industrialized reconnaissance effort,” with data continuously sent to central servers for intelligence purposes.
The speed of operations is noteworthy as attack chains exploit newly announced vulnerabilities in edge devices to take control of routers and integrate them into the botnet. Once compromised, the bots conduct extensive TCP, SSL, UDP, and ICMP scans, capturing TLS certificates and service metadata to report back to control servers. The main aim is infrastructure mapping instead of direct exploitation.
Since January 2024, the botnet has more than doubled in size, moving from 650 devices to over 1,500, with increased variety in the types of devices targeted. Initially focused on Cisco RV320 and RV325 routers, it now includes devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
This variety is intentional; by distributing scans across a broad range of IP addresses, the operators can avoid detection and blocking of any single IP. Utilizing compromised SOHO and IoT devices helps their traffic blend with regular user activity, while US-based devices allow them to bypass geofencing and IP reputation measures.
The botnet's architecture is complex, with operators managing the infected infrastructure through Tor nodes that include both command-and-control servers and payload servers. The malware modifies its scanning techniques based on the privileges it has on the compromised device, using high-speed SYN scanning with custom packets when root access is obtained, and reverting to standard TCP and TLS connections when it isn't.
According to Black Lotus Labs, “Disruption of individual nodes or clusters does not eliminate the underlying capability.” The capability persists, adapts, and continues to supply adversaries with timely targeting information, often shortly after a vulnerability is disclosed. Chinese state hacking operations have a history of targeting US infrastructure, and the JDY botnet demonstrates that the reconnaissance infrastructure is becoming more resilient.
For cybersecurity defenders, the takeaway is clear: promptly patching edge devices is now essential. Routers and IoT devices that have reached end-of-life are especially vulnerable. Furthermore, traditional IP-based defenses are ineffective against scanning traffic that appears to originate from thousands of legitimate residential IPs throughout the country.
Other articles
You can now specify to Instagram’s algorithm exactly what content you'd like to appear on your main feed.
Instagram is offering users genuine control over their feeds with Your Algorithm, a feature that allows you to add and remove topics throughout the entire app.
Insta360 Luna Ultra provides creators with 8K recording capabilities and enhanced stabilization features.
Insta360 has introduced the Luna Ultra, an 8K gimbal camera with dual lenses that has been developed in collaboration with Leica, aimed at creators in search of portable video tools for cinematic purposes.
ChatGPT is suggesting fraudulent websites that may steal your credit card information.
According to the scam-checking service Ask Silver, ChatGPT is displaying fraudulent replicas of inactive retail websites when users seek product suggestions. These counterfeit storefronts aim to capture payment details.
Your Technology, Your Style with JLab: The Case for Affordable Premium Audio
Whether it's for work calls, exercise, commuting, or leisurely breaks, each part of the day requires different performance from our audio equipment. JLab's newest collection is centered around the straightforward concept that personal technology should conform to our daily lives, rather than the reverse, all while making high-quality features accessible.
The trailer for Social Reckoning has been released, and Jeremy Strong seems to be an ideal selection for the role of Mark Zuckerberg.
Aaron Sorkin is back with The Social Reckoning, a companion work to The Social Network that focuses on the Facebook whistleblower controversy, featuring Jeremy Strong in the role of Zuckerberg.
Karp from Palantir suggests that Sanders will come to regret seeking just 50% of AI companies, indicating that full nationalization is on the horizon.
Palantir's CEO Alex Karp informed CNBC that within two years, full AI nationalization will become a widely accepted stance among the left. Both Trump and Sanders have already reached a consensus on 50%.
A botnet connected to the Chinese state has expanded to 1,500 compromised routers and is identifying vulnerable targets within hours of their announcement.
The JDY botnet, associated with China's Volt Typhoon, has increased in size and now searches for newly revealed vulnerabilities within hours. The majority of its nodes are located in the United States.