[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIL7fR4RKhJamnZLW79HPHmiGItrxHgzZSoaPdyCKZX4":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"bfb10895-1210-4aef-be71-22b04d136d4e","China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance","china-linked-jdy-botnet-expands-to-1-500-devices-for-cyber-reconnaissance-944a2c","Cybersecurity researchers have warned of a \"resurgence and expansion\" of JDY, a covert network associated with China-nexus state-sponsored threat actors. \"The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale,\" Lumen's","The JDY botnet, associated with China-nexus state-sponsored threat actors, has significantly expanded its reach to over 1,500 SOHO and IoT devices. This covert network functions as a high-performance scanner for discovering and mapping exposed services at scale, feeding reconnaissance data into a larger scanning ecosystem for target identification and exploitation by Chinese nation-state groups. The botnet's growth and diverse device makeup, including many U.S.-based nodes, help it evade traditional defenses.","China-linked JDY botnet expands to over 1,500 devices for cyber reconnaissance.","China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance Ravie LakshmananJun 10, 2026Botnet \u002F Network Security Cybersecurity researchers have warned of a \"resurgence and expansion\" of JDY, a covert network associated with China-nexus state-sponsored threat actors. \"The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale,\" Lumen's Black Lotus Labs said in a report shared with The Hacker News. JDY was first flagged as a cluster within another botnet codenamed KV-botnet in mid-December 2023. Primarily used for broader scanning against internet targets, the stealthy network comprising compromised SOHO routers, firewalls, and IoT devices has been put to use by Chinese hacking groups like Volt Typhoon. Following KV-botnet's takedown by the U.S. government in early 2024, the botnet operators began making behavioral changes to the network, with the second KV cluster largely going offline. It's suspected that the botnet is offered by the operators to various hacking outfits, while carrying out reconnaissance and targeting on their own. The latest findings from Black Lotus Labs show that the malware has expanded in scope to infect a broader range of devices and act as a conduit to feed \"structured reconnaissance data\" into a larger scanning ecosystem for follow-on target identification and exploitation. Specifically, the JDY cluster is being used to conduct targeted scanning and service fingerprinting with an aim to flag vulnerable infrastructure following public disclosures. This points to an industrialized reconnaissance effort, the results of which are leveraged by Chinese nation-state groups. This has been complemented by a growth in the botnet's size, which has surged from 650 bots at the start of January 2024 to more than 1,500 compromised devices. Most of the hacked nodes are located in the U.S. and Brazil, followed by Europe and Asia. Where previously the cluster primarily featured Cisco RV320 and RV325 routers, the present makeup of the botnet is a lot more diverse, including devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. \"The botnet's large number of U.S.-based SOHO\u002FIoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists,\" Black Lotus Labs said. \"By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked. Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.\" The architecture that powers the botnet is best described as layered: the operators use Tor nodes to manage infected infrastructure, including both the command-and-control (C2) and payload servers. The C2 servers direct the bots to perform targeted reconnaissance and system profiling, as opposed to indiscriminate scanning. Results of the scans are sent to central servers for ongoing intelligence gathering in an effort to further Chinese threat actors' objectives. Attack chains weaponize newly disclosed vulnerabilities in edge devices (e.g., CVE-2026-35616) to deliver a shell script dropper that checks if the malware is already active, and if not, proceeds to download the primary payload based on the detected processor architecture (e.g., mips, mips64, mipsel, or mipsel64). Once the malware is launched, it's deleted from disk. The malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, carry out high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server. The goal is to conduct infrastructure reconnaissance rather than exploitation. A noteworthy functionality of the malware is its ability to adapt its scanning methodology based on its privileges on the local system. If it can open a raw socket, an indication of root privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. If raw sockets are unavailable or if the task is a web scan, the scanning engine resorts to using standard TCP and TLS connections or employs protocols like UDP and ICMP. This activity most likely informs asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems, the cybersecurity company said. \"JDY demonstrates how IoT\u002FSOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation,\" the company said. \"JDY's growth and continued operation illustrate how modern reconnaissance networks persist despite takedowns and adapt as a durable capability within a broader adversary ecosystem.\" \"JDY's evolution from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  botnet, china, cybersecurity, IoT, Malware, network security, Threat Intelligence, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP\u002F2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fchina-linked-jdy-botnet-expands-to-1500.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgQC0_BYMuNpY7re4OHHsytEfC6fW3KsonxN6e2X0Dj03fJoMazI6EZnvPj_hOUZ99yJLq6RrH3ZSCsfDWOB6AgDJVk_1LY5TzgSpP7QFKcI_grjRI7Pm9QGputoI0LM4LH8ZCOAVb_PnzXAs_bMP6n_3u__fPEmxEKVUv5ZZjG5vOJT_fmhvAy551gjCmi\u002Fs1600\u002Fbot.png","2026-06-10T16:08:42+00:00","2026-06-10T18:00:17.537104+00:00",8,[18,21,24,27,29,32],{"name":19,"type":20},"Volt Typhoon","threat_actor",{"name":22,"type":23},"KV-botnet","campaign",{"name":25,"type":26},"RV320","product",{"name":28,"type":26},"RV325",{"name":30,"type":31},"Cisco","vendor",{"name":33,"type":31},"Ubiquiti","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":34,"icon":36,"name":37,"slug":38},null,"Nation-state","nation-state",[40,42,47,52],{"category":41},{"id":34,"icon":36,"name":37,"slug":38},{"category":43},{"id":44,"icon":36,"name":45,"slug":46},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":48},{"id":49,"icon":36,"name":50,"slug":51},"d6f63bb8-0801-486a-be7f-171400700454","IoT\u002FOT","iot-ot",{"category":53},{"id":54,"icon":36,"name":55,"slug":56},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[58],{"type":59,"value":60,"context":61},"cve","CVE-2026-35616","Weaponized vulnerability in edge devices used for attack chains"]