thehackernews.com web signal

JDY Botnet Hits 1,500 Devices in Volt Typhoon Ops

cybersecurity china ai cybersecurity china

Key insights

  • JDY grew from 650 to over 1,500 compromised devices after the 2024 U.S. government takedown of its parent KV-Botnet.
  • The botnet delivers structured reconnaissance data to exploitation pipelines within hours of new vulnerability disclosures.
  • JDY uses Tor-routed command-and-control and TCP, SSL, UDP, and ICMP probing to capture TLS certificates and service metadata at scale.

Why this matters

China-nexus threat actors now maintain persistent reconnaissance infrastructure that reconstitutes after targeted disruptions, and JDY's growth from 650 to more than 1,500 devices after the KV-Botnet takedown shows that law enforcement disruption operations alone cannot contain modular botnet architectures. For security teams managing SOHO and IoT deployments, JDY's documented ability to fingerprint new vulnerabilities within hours of disclosure collapses the effective patch window to near zero, particularly for organizations on standard 30-to-90-day cycles. The shift to Tor-routed, continuously refreshed botnet reconnaissance represents a structural capability that defenders must model as an always-on attack surface, not a one-off incident response problem.

Summary

Black Lotus Labs has tracked JDY, a China-linked botnet that survived the 2024 FBI KV-Botnet takedown and expanded to over 1,500 compromised SOHO and IoT devices, up from 650 at the start of January 2024. JDY runs TCP, SSL, UDP, and ICMP probing to fingerprint exposed internet services and deliver structured targeting intelligence to downstream operators, often within hours of new vulnerability disclosures. Command-and-control infrastructure routes through Tor nodes, and recent attack chains exploit newly disclosed edge-device vulnerabilities to drop shell script payloads. Essentially: (Volt Typhoon, Black Lotus Labs) Volt Typhoon runs persistent reconnaissance through JDY, a botnet now independently tracked by Black Lotus Labs as a China-nexus capability that reconstituted after its parent network was dismantled. - Infected hardware spans Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks devices, with the heaviest concentration in the U.S. and Brazil. - JDY was first identified as a KV-Botnet sub-cluster in mid-December 2023 and grew independently after the other KV cluster went largely offline following the government takedown. The case shows that disrupting a botnet can splinter its sub-clusters into new independent capabilities rather than eliminating them.

Potential risks and opportunities

Risks

  • Operators of Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks SOHO devices face ongoing exposure as JDY's scanning continuously refreshes targeting data for Volt Typhoon operators.
  • Organizations with 30-to-90-day patch cycles for edge devices are structurally exposed given JDY's documented ability to operationalize reconnaissance data within hours of vulnerability disclosure.
  • The Tor-routed command-and-control architecture complicates any repeat coordinated takedown, increasing the likelihood that JDY persists and expands beyond its current 1,500-device footprint.

Opportunities

  • Network threat intelligence vendors with SOHO botnet detection capabilities, including Lumen's Black Lotus Labs, gain credibility and client pipeline from this research publication.
  • Edge device manufacturers including Ubiquiti, Draytek, and Hikvision have a narrow window to push firmware patches and auto-update enforcement before JDY's reconnaissance feeds a broader Volt Typhoon exploitation wave.
  • Managed security service providers serving SMB customers can build targeted detection packages using JDY's documented device taxonomy and Tor-based command-and-control indicators.

What we don't know yet

  • The specific downstream targets or sectors that received JDY's reconnaissance intelligence are not identified in current public reporting.
  • Whether CVE-2026-35616, referenced in JDY's recent attack chains, has been fully patched across all affected edge-device firmware versions is not confirmed.
  • How many of the 1,500-plus infected devices remain undetected by their owners, and whether affected ISPs have been notified, is undisclosed.

Originally reported by thehackernews.com

Read the original article →

Original headline: JDY Botnet: China-Linked 1,500-Device Reconnaissance Network Evolved Independently After KV-Botnet FBI Takedown, Now Active for Volt Typhoon