China-Linked JDY Botnet Widens Its Focus on US Military and Critical Networks

The JDY botnet, tied to Chinese APT groups, has expanded its reconnaissance on US military and key infrastructure by compromising more IoT and SOHO devices.

Editorial Team · Jun 10, 2026 · 2 min read · Source: bleepingcomputer.com

The JDY botnet, a malware network linked to Chinese threat actors, has substantially increased its reach and activity, focusing heavily on US military and associated networks. Researchers at Black Lotus Labs by Lumen report that the botnet’s compromised devices have more than doubled this year, rising from around 650 in January to over 1,500 compromised IoT and small office/home office (SOHO) devices.

Unlike other botnets used primarily for distributed denial-of-service attacks or mass exploitation, JDY functions as a distributed reconnaissance tool. It scans networks to identify vulnerable systems shortly after new security flaws are made public. This rapid fingerprinting allows its operators to quickly operationalize targets, mainly within sensitive and strategic sectors.

The range of devices infiltrated by JDY includes routers and network equipment from manufacturers such as Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys. These devices operate on various architectures, including MIPS and variants thereof. JDY is particularly adept at exploiting the latest vulnerabilities, with instances reported of scans targeting flaws like CVE-2026-35616, recently disclosed by Fortinet.

Management and control of the botnet are maintained through concealed Tor services functioning as command-and-control (C2) nodes. Additionally, operators sometimes utilize the open-source Platypus framework for reverse shell and host management tasks, enhancing the botnet’s operational capacity.

The botnet operates by registering with a central dispatch service that assigns scanning tasks. It then executes these scans, compresses the resulting data, and sends it back to the C2 infrastructure. Among its reconnaissance techniques are TCP, UDP, SSL/TLS scanning, ICMP probing, banner grabbing, and TLS certificate harvesting, all guided by dynamic rule sets designed to fingerprint services accurately.

This targeted approach underlines the botnet’s strategic value as a tool for advanced persistent threat (APT) actors associated with China, who prioritize rapid exploitation of newly disclosed vulnerabilities to infiltrate military and critical infrastructure networks.