China-Linked JDY Botnet Expands as Recon Platform Targeting U.S. Military Networks
The China-linked JDY botnet has grown from roughly 650 devices in early 2024 to more than 1,500 compromised SOHO and IoT systems, according to Lumen Black Lotus Labs, and is being used primarily for cyber reconnaissance rather than disruptive attacks. Researchers said the infrastructure, previously tied to a cluster within KV-botnet and associated with Chinese state-backed activity including support for Volt Typhoon, performs scanning, service fingerprinting, banner grabbing, TLS certificate collection, and vulnerability-focused discovery. Many infected nodes are located in the United States and Brazil, and the activity shows a strong emphasis on U.S. military and related networks.
The operators reportedly move quickly after new vulnerabilities are disclosed, with researchers observing targeting tied to CVE-2026-35616 soon after Fortinet revealed the FortiClient EMS flaw, indicating reconnaissance data is being gathered for possible follow-on exploitation. JDY uses Tor hidden services for command-and-control, can leverage the Platypus reverse-shell and host-management framework, and adjusts its scanning techniques based on device privileges, including high-speed raw SYN scanning when elevated access is available. The report warns that compromised edge devices from multiple vendors are being folded into the botnet and urges organizations to patch routers, firewalls, and IoT devices, disable unnecessary internet-exposed administration, restrict remote management, replace default credentials, and watch for unusual outbound scanning.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
JDY resurges independently after 2024 KV-botnet takedown
Black Lotus Labs reported that after the 2024 takedown of the KV-botnet cluster, JDY re-emerged as an independent reconnaissance platform rather than remaining embedded within KV infrastructure. Researchers described it as part of China-linked activity and said it was being used to map exposed services at scale.
DOJ seizes 13 fake consulting sites tied to suspected PRC operatives
The U.S. Justice Department said it seized 13 fake consulting websites allegedly used by suspected PRC operatives to target current and former U.S. security-clearance holders through fraudulent job postings and requests for confidential information. The reference says the activity had been ongoing since November 2023 and included concealed payments, including cryptocurrency.
JDY expands to more than 1,500 devices and targets U.S. networks
Black Lotus Labs reported that JDY had grown to over 1,500 compromised SOHO and IoT devices and was being used as a distributed reconnaissance network with a strong emphasis on U.S. targets, especially military-related networks.
Fortinet discloses FortiClient EMS flaw CVE-2026-35616
Fortinet disclosed the FortiClient EMS vulnerability tracked as CVE-2026-35616, which researchers later cited as a trigger for rapid JDY scanning activity.
JDY botnet measured at about 650 active bots
Black Lotus Labs observed JDY at roughly 650 active compromised SOHO and IoT devices, providing an early baseline for the botnet's size.
JDY identified as a cluster within KV-botnet
Researchers previously identified JDY as a cluster within the KV-botnet, establishing an earlier link between the infrastructure and China-nexus activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
JDY Botnet Linked to Volt Typhoon Targets Routers
securityonline.info
Open sourceSecurity experts sound alarm over 'expanded' China-linked botnet used to target US critical infrastructure and military assets | IT Pro
itpro.com
Open sourceChina-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
cybersecuritynews.com
Open sourceJDY Botnet Evolves After KV Takedown, Targets Military Networks
securityaffairs.com
Open sourceChina-linked operators revive botnet, stir AI datacenter debate
theregister.com
Open sourceJDY botnet expands, enabling rapid exploitation of disclosed vulnerabilities | brief | SC Media
scworld.com
Open sourceChina-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
thehackernews.com
Open sourceChina-linked JDY botnet expands targeting of U.S. military networks
bleepingcomputer.com
Open sourceExpanded JDY IoT and SOHO botnet enables rapid vulnerability exploitation
lumen.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Groups Built Covert Botnets From Compromised Routers and IoT Devices
A joint advisory from the UK **NCSC**, the United States, and other international partners warned that China-nexus threat actors are increasingly using large covert networks of compromised **SOHO routers, IoT devices, firewalls, and NAS systems** to route malicious traffic, hide attribution, and support espionage and disruptive operations. The warning said these botnet-style proxy networks are used across the full cyber kill chain, from reconnaissance and malware delivery to command-and-control and data theft, and identified activity tied to **Volt Typhoon**, **Flax Typhoon**, and the **Raptor Train** botnet. Officials said Volt Typhoon’s **KV Botnet** relied heavily on end-of-life Cisco and Netgear routers, while Raptor Train infected more than **200,000** devices worldwide and was reportedly controlled by **Integrity Technology Group**. Governments said the scale and churn of these compromised-device networks make traditional static IP blocklists increasingly ineffective, creating what some reporting described as rapid indicator loss or “IOC extinction.” Agencies urged organizations to map internet-facing and edge assets, baseline normal traffic from routers and IoT devices, enforce **MFA**, apply dynamic threat intelligence, use allow-listing and **zero trust** controls, and actively hunt for suspicious proxy-node behavior on residential, branch, and enterprise-connected infrastructure. The disclosures also linked the threat to broader Chinese pre-positioning activity against critical infrastructure and telecom environments, underscoring how weakly secured edge devices continue to provide durable operational cover for state-backed intrusions.
Apr 27, 2026
US Disrupts Volt Typhoon KV Botnet Built on Compromised SOHO Routers
The U.S. Department of Justice said a court-authorized FBI operation disrupted the **KV Botnet**, a network of hundreds of compromised small office and home office routers that the PRC-linked group **Volt Typhoon** used to mask follow-on intrusions against U.S. and foreign targets, including critical infrastructure. Officials said the botnet relied heavily on end-of-life **Cisco** and **NetGear** devices, and that the FBI removed malware from affected U.S.-based routers and severed communications with botnet controllers without disrupting legitimate router functions or collecting content. The government tied the activity to broader Chinese pre-positioning against sectors including communications, energy, transportation, and water, while warning that unsupported devices remain vulnerable to reinfection unless replaced or fully remediated. Reporting on the takedown said the action mirrored earlier U.S. botnet disruptions such as the 2022 operation against **Cyclops Blink**, the **Sandworm/GRU** botnet that abused WatchGuard and ASUS devices as command-and-control infrastructure. Subsequent research from Censys found that KV Botnet control infrastructure evolved after the December 2023 disruption, with operators in the **JDY** cluster largely retaining the same infrastructure patterns while shifting hosting providers and continuing activity linked to vulnerable `Cisco RV320/RV325` routers. The researchers said the botnet’s comparatively exposed infrastructure did not fully match Volt Typhoon’s usual stealthy tradecraft, raising questions about whether the KV Botnet was operated directly by Volt Typhoon or by a separate but related actor.
May 25, 2026
Masjesu IoT Botnet Powers Stealthy DDoS-for-Hire Attacks
Researchers reported that the **Masjesu** botnet, also tracked as **XorBot**, has been operating since early 2023 as a **DDoS-for-hire** service promoted on Telegram. The malware targets internet-exposed routers, gateways, cameras, DVRs, NVRs, and other embedded devices across multiple CPU architectures, exploiting known command-injection and remote code execution flaws in products from vendors including **D-Link, Huawei, NETGEAR, TP-Link, and GPON**. Trellix said the botnet is engineered for stealth and longevity, using XOR-based obfuscation, runtime decryption, persistence mechanisms, process spoofing, and multi-domain command-and-control infrastructure with fallback IPs. Once installed, Masjesu opens a hard-coded TCP port `55988` for direct operator access, suppresses termination signals, kills utilities such as `wget` and `curl`, and connects to external servers for attack instructions. The operators reportedly avoid scanning or infecting high-profile ranges such as **U.S. Department of Defense** networks to reduce scrutiny, while advertising the botnet's geographic spread and attack capacity. Observed traffic has been concentrated in **Vietnam** and also seen from **Ukraine, Iran, Brazil, Kenya, and India**, with the botnet used to launch **TCP, UDP, and HTTP flood** attacks against CDNs, game servers, and enterprises, including volumes reported at roughly **290 Gbps**.
Apr 22, 2026