China-Linked JDY Botnet Expands Targeting of U.S. Military Networks
Black Lotus Labs warns that the China-linked JDY botnet has expanded its reach in the United States, with a focus on military networks and a growing pool of compromised SOHO and IoT devices (over 1,500, up from about 650 in January 2024). Rather than a traditional DDoS botnet, JDY functions as a distributed scanning and fingerprinting network that rapidly targets newly disclosed vulnerabilities, including CVE-2026-35616 after Fortinet’s disclosure. The botnet operates via hidden Tor-based C2s (and sometimes the Platypus framework), surveying devices from vendors like Cisco, Ubiquiti, Hikvision, and others for TCP/SSL/UDP/ICMP scanning, banner grabbing, TLS certificate harvesting, and service fingerprinting. Security guidance urges patching devices, disabling exposed admin interfaces, restricting remote management, rotating default credentials, and monitoring for unusual outbound scanning.
CHINA-LINKED JDY BOTNET EXPANDS TARGETING OF U.S. MILITARY NETWORKS
OverviewThe JDY botnet, historically associated with Chinese threat actors, has broadened its reach and sharpened its reconnaissance efforts. Researchers tracking its activity note a sustained emphasis on the United States, where many compromised devices reside and where the botnet concentrates its targeting on military and related networks. The growth is measured more by scope and capability than by sheer volume of infected devices.
Scale and distribution
- The botnet size has grown from roughly 650 active bots in January 2024 to more than 1,500 compromised devices in recent assessments.
- A substantial portion of affected equipment comes from small office/home office (SOHO) and Internet of Things (IoT) deployments.
- The increase in numbers does not imply a need for large-scale botnet floods; rather, JDY operates as a distributed scanning and fingerprinting network designed to locate targets vulnerable to recently disclosed flaws.
Nature of the operation
- JDY is not a traditional exploitation framework or a denial-of-service botnet that relies on large-scale swarms. It functions as a reconnaissance network that helps operators identify and profile targets with exploitable weaknesses.
- Analysis indicates a rapid translation of reconnaissance outputs into actionable intrusion opportunities, particularly after public vulnerability disclosures.
- The focus spans a broad set of sectors, with the United States military and associated entities appearing as prominent targets.
Targeting trends and impacted regions
- Black Lotus Labs highlights a pronounced U.S. focus, with many compromised devices located domestically and within networks connected to defense-related operations.
- The botnet’s activity mirrors a pattern where newly disclosed vulnerabilities trigger swift scanning and potential follow-on exploitation.
Botnet architecture and control
- JDY operators manage the botnet through hidden Tor services that also serve as the command-and-control (C2) infrastructure.
- A modular framework, including a reverse-shell and host-management element known as Platypus, appears in certain deployments.
- The botnet registers with a central Dispatch Service that assigns scanning tasks, collects results, compresses data, and transmits findings back to the C2.
Scanning and fingerprinting capabilitiesThe JDY network supports a multi-faceted set of reconnaissance activities, including:
- Service discovery to locate exposed services on compromised devices
- Banner grabbing to identify running software versions and configurations
- TLS certificate collection and harvesting
- Protocol fingerprinting to classify services and protocols in use
- Flaw-focused reconnaissance aimed at recently disclosed vulnerabilities
- Scannings are driven by adaptable rule sets that can be downloaded and applied to the target environment
Compromised devices and vendor footprint
- Affected devices span multiple vendors across various architectures, including MIPS, MIPS64, MIPSEL, and MIPSEL64.
- Known brands observed within the compromised landscape include Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, among others.
- The breadth of devices suggests JDY leverages a wide range of exposed or inadequately protected interfaces to plant a foothold and expand its reconnaissance reach.
Vulnerability targeting and rapid exploitation
- The operators demonstrate a preference for acting quickly on publicly disclosed vulnerabilities, with scanning activity intensifying soon after disclosures.
- An example cited involves targeting a Fortinet FortiClient EMS flaw shortly after it was made public, illustrating the botnet’s agility in chasing newly disclosed weaknesses.
Technical highlights of the scanning module
- The scanning module can perform TCP, SSL/TLS, UDP, and ICMP probing, as well as TLS certificate harvesting and service fingerprinting using downloadable rule sets.
- The botnet’s client cycles through a recurring loop: receive a scanning assignment, execute, compress results, and relay data back to the C2 until explicitly instructed to stop.
TCP scanning technique of interest
- When privileged, JDY can execute high-speed raw SYN scanning using custom-crafted TCP packets.
- A notable tactic involves creating a fixed source port (19000) and iterating destination ports, enabling batch processing of thousands of targets.
- This method emphasizes stealth and speed, leveraging raw sockets which typically require root or administrative privileges.
Operational implications for defenders
- The JDY network represents a persistent reconnaissance layer that can adapt to new vulnerabilities, enabling rapid follow-on exploitation by threat actors with state-sponsored backing.
- The breadth of affected devices and the use of Tor-based C2 channels complicate takedown efforts and attribution.
- Security teams should be mindful of unusual outbound scanning activity originating from edge devices and monitor for signatures of protocol fingerprinting and TLS certificate harvesting patterns.
Context and related security landscape
- The JDY development comes in the wake of warnings about Volt Typhoon-like activity targeting exposed SOHO routers and other consumer-grade network devices.
- The interplay between public vulnerability disclosures and rapid reconnaissance underscores the importance of timely patching and careful configuration of network devices.
Operational snapshot
- Central control: hidden Tor-based C2 with a Dispatch Service pushing scanning tasks to the botnet and collecting results.
- Scanning modalities: TCP, SSL/TLS, UDP, ICMP; banner collection; TLS certificate harvesting; protocol fingerprinting with adaptable rule sets.
- Deployment footprint: diversified by vendor and architecture, with a focus on devices that sit at the network edge and provide outward-facing services.
ConclusionThe JDY botnet’s expansion signals a refined approach to cyber-espionage leveraging rapid vulnerability exploitation and efficient reconnaissance. Its design prioritizes targeted discovery over brute force attacks, increasing the likelihood that exposed weaknesses in U.S. military and allied networks could be identified and potentially exploited in a future operation. The combination of a distributed scanning network, Tor-based C2, and cross-vendor device compromise presents a complex challenge for defenders seeking to curb the botnet’s reach and reduce exposure to emerging threats.
