JDY Botnet: The Silent "Eye" Behind China's Cyber ​​Attack Campaigns

Campaign summary

In June 2026, Lumen Black Lotus Labs confirmed that after the KV-botnet cluster was busted by the FBI in early 2024, the remaining JDY cluster did not disband — it quietly restructured and has now expanded to more than 1,500 hijacked SOHO and IoT devices, doubling from the bottom of ~650 devices after the takedown. This botnet is linked to Chinese APT groups, including Volt Typhoon, and acts as a large-scale reconnaissance system: scanning services, fingerprinting infrastructure, and transferring data back to serve the next exploits.

The most worrying point is not so much the scale — but the speed of response: just hours after the Fortinet vulnerability CVE-2026-35616 was announced on April 5, 2026, JDY began mass scanning to identify unpatched devices. Of all the IPs targeted, the largest group belonged to US military networks and related entities — no coincidence.

Some information about Volt Typhoon

Introduce

Volt Typhoon is an Advanced Persistent Threat (APT) group that has been tracked for many years by Western intelligence and cybersecurity agencies, including Microsoft, CISA, NSA and FBI. This group is believed to be linked to the Chinese state and operates with the goal of gathering strategic intelligence and building long-term access to critical infrastructure systems.

Unlike many APT groups that focus on data theft or economic espionage, Volt Typhoon is considered to target national security and military strategies. The group's campaigns often target organizations that play an important role in social operations and defense, suggesting that the goal is not only to collect information but also to prepare the ability to impact or disrupt infrastructure in crisis situations.

Activity history

Signs of Volt Typhoon's activity were traced back to around 2021, but the group only became widely publicized in May 2023 when Microsoft published a report on a large-scale intrusion campaign targeting critical US infrastructure.

In early 2024, the FBI and the US Department of Justice conducted a campaign to destroy the KV Botnet infrastructure - the proxy network used by Volt Typhoon to hide the origin of the attack. However, subsequent studies showed that many other infrastructure components such as the JDY Botnet continued to operate and even expanded significantly.

Strategic goals

• Critical infrastructure: Electricity, Energy, Clean Water, Gas, Telecommunications, Transportation.

• Defense: Ministry of Defense, Military Contractors, Military Logistics Facilities, Force Deployment Support Systems.

• Government: Administrative agencies, Strategic Research Organizations, National Infrastructure Management Agency.

• Technology and Telecommunications: ISPs, Internet Service Providers, Data Centers, Network Management Systems.

Event Timeline

Date	Event
December 2023	Lumen Black Lotus Labs publicly disclosed the KV Botnet, consisting of two distinct components: the KV cluster, responsible for covert traffic relaying and proxy operations, and the JDY cluster, dedicated to large-scale reconnaissance and Internet scanning. The infrastructure was linked to activities associated with Volt Typhoon targeting U.S. critical infrastructure.
January 2024	The FBI and U.S. Department of Justice conducted a court-authorized disruption operation against the KV cluster. Following the takedown, the JDY cluster remained active but dropped to its lowest observed size of approximately 650 compromised devices.
January–December 2024	JDY quietly rebuilt its infrastructure and expanded its operational footprint. The botnet broadened its targeting scope beyond Cisco RV320/RV325 routers, incorporating a wider range of SOHO and edge devices from multiple vendors.
Q1–Q2 2026	JDY grew to more than 1,500 compromised devices globally. Researchers observed increased targeting of products from Araknis Networks, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, demonstrating a significant diversification of its victim ecosystem.
April 5, 2026	CVE-2026-35616, a critical vulnerability affecting Fortinet products, was publicly disclosed. Black Lotus Labs observed JDY initiating reconnaissance and scanning activity against potentially vulnerable Fortinet devices on the same day, highlighting its rapid response capability to newly published vulnerabilities.
June 10, 2026	Lumen Black Lotus Labs released a comprehensive technical report detailing JDY’s infrastructure, malware functionality, command-and-control architecture, reconnaissance techniques, and targeting patterns.
June 11, 2026	Major cybersecurity media outlets, including The Hacker News and Security Affairs, published analyses covering JDY’s expansion, its relationship to Volt Typhoon, and its role in large-scale vulnerability reconnaissance operations.

Chain attack

DY is not a direct attack botnet — it is a specialized reconnaissance layer serving downstream exploitation. Each stage is designed to maximize the data collected while minimizing the footprint left behind.

Three technical points are especially worth noting:

1. Self-deleting dropper: After downloading and launching the payload, the dropper automatically deletes the binary. There's nothing to be found after the malware has run.

2. Detection rule on demand: When receiving commands from C2, JDY downloads custom detection signatures — not blind scanning, but identifying and validating specific services by behavioral characteristics, port, and response pattern.

3. Geofencing bypass by design: By dispersing scanning across thousands of IPs belonging to legitimate US SOHO/IoT networks, the botnet naturally bypasses IP reputation blacklists, geofencing rules, and static blocklists — because the traffic looks exactly like real users.

Technical details

Overall architecture

Analysis by Black Lotus Labs shows that JDY does not operate as a traditional DDoS botnet but is designed as a distributed network reconnaissance platform (Distributed Reconnaissance Platform).

JDY's architecture includes three main components:

1. Bot Layer
   The bot class includes compromised SOHO and IoT devices:

   • Router

   • Firewall

   • VPN Gateway

   • Camera IP

   • NAS devices

   • Small business network equipment

   After being hijacked, these devices become distributed scanner nodes on the Internet.

2. Command and Control Layer
   The C2 system uses multiple layers of intermediaries to reduce the risk of takedown.

   Outstanding features:

   • Communicate over HTTPS

   • JSON-based protocol

   • Tor Hidden Services

   • Infrastructure is distributed across many geographical areas

   Using Tor helps hide the physical location of the control server and makes sinkhole or takedown operations difficult.

   

3. Aggregation & Analytics Layer
   This is the most important component of JDY.

   All data collected from thousands of bots will be centralized at central analytics servers to:

   • Merge scan data

   • Eliminate duplicate data

   • Build inventory of Internet-facing assets

   • Identify systems vulnerable to exploitation

   The final results are passed on to mining campaigns or related APT groups.

Operational process

Stage 1: Initial Registration

After successful infection, the bot sends identification information to C2.

Information includes:

Data Field	Purpose
OS Type	Identify the operating system running on the compromised device
Architecture	Determine the CPU architecture (e.g., x86, x64, ARM, MIPS)
Uptime	Assess device stability and operational reliability
Memory Size	Evaluate available system resources and execution capacity
Malware Version	Track and manage bot malware versions deployed across the botnet
Public IP Address	Determine the device's external network location and geographic distribution

Việc thu thập các thông tin này giúp hệ thống lựa chọn nhiệm vụ phù hợp với từng bot.

Giai đoạn 2: Task Distribution

Sau khi đăng ký thành công, bot nhận nhiệm vụ từ C2.

Một scan task thường bao gồm:

{
  "targets": [
      "203.0.113.0/24",
      "198.51.100.0/24"
  ],
  "ports": [80,443,8443],
  "protocols": ["HTTP","HTTPS"],
  "fingerprinting": true,
  "tls_collection": true
}

Tasks can be continuously updated based on:

• Newly announced CVE

• APT campaign is underway

• List of priority goals

Network scanning techniques

SYN Scan

If the bot has permission to use the raw socket, JDY performs a SYN Scan similar to Nmap.

Advantages:

• TCP handshake not completed

• Reduced log generation on target device

• Increase scanning speed

This helps JDY maintain a higher level of stealth than conventional scanning tools.

TCP Connect Scan

When raw sockets cannot be used:

This method creates more footprint but ensures limited compatibility with IoT devices.

Banner Grabbing

After determining the open port, JDY conducts fingerprinting.

For example:

HTTP/1.1 200 OK
Server: nginx/1.18.0
X-Powered-By: PHP/7.4

Information collected:

• Web Server

• Version

• Framework

• Reverse Proxy

• CDN Information

• Application Stack

These data are used to determine the likelihood that known vulnerabilities exist.

TLS Fingerprinting

One of JDY's standout capabilities is TLS data collection.

Information collected includes:

Attribute	Purpose
TLS Version	Identify the security configuration and supported TLS protocol version
Cipher Suite	Fingerprint and classify devices, applications, or services
Certificate Subject	Identify the organization, domain, or service associated with the certificate
Subject Alternative Name (SAN)	Enumerate hostnames and additional domains covered by the certificate
Certificate Issuer	Determine the Certificate Authority (CA) that issued the certificate
Expiration Date	Assess certificate validity status and expiration timeline

For example:

TLS 1.2
CN=vpn.company.com
Issuer=DigiCert

Through digital certificates, JDY can identify:

• Internal domain name

• VPN system

• Remote access port

• Administration equipment

HTTP Redirect Analysis

JDY not only collects banners but also tracks redirect chains.

For example:

http://target
    ↓
https://vpn.company.com
    ↓
Fortinet SSL VPN Portal

This information helps:

• Identify security devices

• Product classification

• Identify the VPN system

Target classification

After data is sent to the central server, the system conducts classification.

Step 1: Asset Classification

Determine:

• Firewall

• Router

• VPN Gateway

• Camera

• NAS

• ICS Device

Step 2: Product Fingerprinting

For example:

FortiGate
Cisco IOS XE
DrayTek Vigor
Hikvision Camera

Step 3: Vulnerability Matching

Collation system:

Product Version
        ↓
Known CVEs
        ↓
Risk Score

Devices with potential vulnerabilities will be placed on the priority list.

Technical review

JDY is a highly automated reconnaissance-as-a-service platform designed to shorten the time between vulnerability disclosure and target discovery. Unlike traditional DDoS botnets, JDY's value lies in its ability to build a real-time Internet-facing assets database, supporting large-scale cyber espionage and exploitation campaigns. With over 1,500 controlled devices and in-depth TLS data collection, banner and fingerprinting capabilities, JDY is currently considered one of the most notable cyber reconnaissance platforms involved in APT activities originating from China.Thiết bị nhắm đến

Vendors/Models confirmed to be infected or targeted by JDY:

• Cisco RV320, RV325

• Ubiquiti UniFi series

• Draytek Vigor series

• Hikvision IP cameras / NVR

• Linksys WRT/EA series

• Araknis Networks AN series

• Mimosa Networks wireless equipment

Vulnerabilities Exploited/Targeted

• CVE-2026-35616 # Fortinet — scanned on public disclosure day (April 5, 2026)

• FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf

MITRE ATT&CK Mapping

Phase	Technique ID	Technique Name	JDY Activity Description
Reconnaissance	T1595	Active Scanning	Conducts large-scale SYN scanning and TLS fingerprinting across Internet-facing systems
Reconnaissance	T1595.001	Scanning IP Blocks	Scans IP ranges associated with U.S. military, government, and critical infrastructure networks
Reconnaissance	T1590	Gather Victim Network Information	Collects service banners, SSL/TLS certificates, and protocol metadata from exposed services
Reconnaissance	T1590.004	Gather Victim Network Information: Network Topology	Maps exposed services and network infrastructure to support downstream exploitation activities
Resource Development	T1584.005	Compromise Infrastructure: Botnet	Compromises SOHO and IoT devices to build a distributed reconnaissance and proxy network
Command and Control	T1090.003	Proxy: Multi-hop Proxy	Utilizes Tor hidden services and intermediary nodes to conceal C2 infrastructure
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	Uses HTTPS-based communications for bot registration, tasking, and result submission
Defense Evasion	T1070.004	Indicator Removal on Host: File Deletion	Dropper components may remove themselves after execution to reduce forensic artifacts
Defense Evasion	T1036	Masquerading	Blends reconnaissance traffic with legitimate SOHO and residential network traffic patterns
Defense Evasion	T1562.001	Impair Defenses: Disable or Modify Security Tools	Evades IP reputation systems and geofencing controls by leveraging compromised U.S.-based SOHO devices as scanning nodes

IOC

IP C2

• 23.27.120[.]240

• 109.104.154[.]116

• 216.173.65[.]250

• 194.14.217[.]88

• 149.248.3[.]38

SHA 256

• 2b640582bbbffe58c4efb8ab5a0412e95130e70a587fd1e194fbcd4b33d432cf

• 03c4667f016f1e8441177639d87f77a59f32d2c7e0041616376967338667bd3b

• 1e0da906811b570c4134ade310c3a94631d4b308d27b616497266b49aae2aa

• d62055910cd579ff1fb57bd1926c5b2e80e1677f0316737b2f733f86b01615dc

• 40ad28b87b5ed395fe8ff303555cc28974682ed6cc5a71ede76c4b17648cbd

• 28a23ab78739de674f94d9acadfe0709862c2b2d947e9051b200a24d3f9f44

• d1414803a83b1ba260e3e1be742379eccbb806f987ec1e7c0bc5399e4971a5f

• 96ecc107aa645e36b5f939ebfcf9e61fc9ebc27616680fbd0fdeb41c7950d79a

Expert Comments

Takedown Is Not the End — Resilience By Design

The FBI takedown of KV-botnet in early 2024 is considered successful. But JDY's story proves that disruption of a cluster does not eliminate capability. Volt Typhoon (or related threat actor) designed the KV-botnet with a distributed architecture: when the KV cluster is taken down, the JDY cluster remains alive and continues to accumulate.

This is not the first time we have seen this pattern. Emotet, TrickBot, Qakbot — all show that botnets are capable of regenerating after disruption when the infrastructure is not completely taken down. The difference with JDY is patience: it doesn't rush, doesn't make noise, just quietly collects for 2 years.

Reconnaissance-First: Paradigm Changes In APT Operations

Traditionally, we think of APT = intrusion → lateral movement → exfiltration. JDY raises another question: if you have a detailed map of all your competitors' exposed services — updated continuously, daily — how quick is the "initial access" step?

CVE-2026-35616 case study answers that question: within hours of disclosure, JDY knew exactly which organizations were unpatched. When the exploit tool is ready, the target list has been prepared. This is assembly-line exploitation — industrialized, not opportunistic.

Risks for Vietnam and ASEAN

Although current targeting prioritizes US military networks, the analyst team sees some notable signals for the region:

• Geographic distribution of bots includes Asia: this means that SOHO/IoT in Vietnam and ASEAN countries may already be in a botnet, not the main target but a tool used to attack others.

• Popular devices in Vietnam: Hikvision IP cameras, Linksys routers — are all on the list targeted by JDY. The possibility of infection in Vietnam is real, not theoretical.

• Precedent from Volt Typhoon: This group has a history of targeting critical infrastructure. If the pattern expands to ASEAN — especially in the current geopolitical context — important infrastructure organizations in Vietnam need to be placed in the threat model.

Visibility Issue

Most organizations in Vietnam — including enterprises — have zero visibility at the SOHO/IoT layer. Remote workers' routers, office security cameras, factory IoT devices: these devices are often not within the scope of security monitoring. JDY shows that this is exactly where the attacker is building foothold.yen Gia

Recommended

Immediate (0–24 hours)

Inventory SOHO/IoT devices now

• Scan internal network to detect running SOHO/IoT devices

• Prioritize vendors: Ubiquiti, Draytek, Hikvision, Linksys, Araknis, Mimosa, Cisco RV series

  • nmap -sV -p 80,443,8080,8443,23,22,8888 <internal_subnet>
    --script http-title,banner
    -oX soho_iot_inventory.xml

Verify which devices are exposing to the internet

• Check external exposure

  • nmap -sV <public_ip_range> -p 80,443,8080,8443,22,23,8888

• Or use Shodan/Censys with org filter

Patch CVE-2026-35616 immediately on Fortinet

• PSIRT Advisories | FortiGuard Labs

Short-term (1–7 days)

Implement network segmentation cho IoT

• Private VLAN for SOHO/IoT devices

• Firewall rules: IoT VLAN is only allowed to go to the internet, not access corporate network

• Block outbound Tor from corporate and IoT networks

• Block TCP port 9050, 9150, 443 to known Tor exit nodes

Enable logging and monitoring for edge devices

Detection rule for SIEM (Splunk/Elastic format):

index=network sourcetype=firewall (dest_port=9050 OR dest_port=9150)

| stats count by src_ip, dest_ip, dest_port

| where count > 10

| comment "Outbound Tor từ internal device — nghi vấn C2"

Detect abnormal SYN scan behavior from internal device:

index=network sourcetype=firewall action=allow

| stats dc(dest_ip) as unique_dests by src_ip, _time span=1h

| where unique_dests > 500

| comment "High-rate scanning từ internal host — nghi vấn botnet"

Password reset and firmware update throughout SOHO/IoT

• Change default credentials

• Disable remote management if not needed

• Update firmware to the latest version

• Disable UPnP

Long-term

Deploy continuous asset discovery:

• Integrate IoT/OT devices into asset inventory platform (Axonius, Armis, or equivalent)

• Scheduled periodic scanning to detect new unauthorized devices

Threat Intelligence Feed about China-nexus TTPs:

• Subscribe Lumen Black Lotus Labs feed

• Follow CISA Advisories on Volt Typhoon, Salt Typhoon

• Integrate IOC feed into SIEM/firewall automatically

Re-evaluate Remote Work Security Policy:

• Remote workers' SOHO devices risk expanding the attack surface of the corporate network

• Consider Zero Trust Access instead of traditional VPN to reduce the risk of compromise from uncontrolled devices

Reference

China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance

Expanded JDY IoT and SOHO botnet enables rapid vulnerability exploitation

JDY Botnet Evolves After KV Takedown, Targets Military Networks

China-linked JDY botnet expands targeting of U.S. military networks