JDY has resurfaced and expanded into a large covert botnet of more than 1,500 compromised SOHO and IoT devices used for targeted scanning, service fingerprinting, and continuous reconnaissance. Its operators leverage layered command infrastructure and newly disclosed edge-device vulnerabilities to feed intelligence to Chinese state-sponsored threat actors, including Volt Typhoon. #JDY #KVbotnet #VoltTyphoon #Lumen #BlackLotusLabs
Keypoints
- JDY has grown from a smaller cluster into a botnet with over 1,500 compromised devices.
- The botnet is used for targeted scanning and service fingerprinting rather than broad, random probing.
- Most infected devices are located in the U.S. and Brazil, with additional nodes in Europe and Asia.
- JDY now includes a wider range of devices from vendors such as Cisco, Araknis, Ubiquiti, Draytek, Hikvision, and Linksys.
- Attack chains abuse newly disclosed edge-device flaws to deploy malware and support Chinese nation-state reconnaissance efforts.
Read More: https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html