JDY botnet grows to 1,500 devices, scans US homes and military

Lumen’s Black Lotus Labs reported that the JDY botnet has expanded to roughly 1,500 compromised small office and home office (SOHO), edge and IoT devices across the United States, Europe and Asia. The network has about doubled in size since it was first identified in 2023 and is being used by state-linked actors to scan for exposed services and vulnerable equipment.

JDY was first detected during an investigation into the KV botnet in 2023. KV carried covert data transfer functions and was taken down by US authorities last year; JDY remained active as a distributed scanner after that takedown. Black Lotus Labs said devices in the United States make up the largest share of JDY infections and that US military networks are among those probed by the botnet.

Researchers found the operators moved from targeting two Cisco router models to compromising a wider variety of routers, cameras and other edge devices from multiple manufacturers. The attackers search for specific device models with known vulnerabilities rather than scanning indiscriminately. Black Lotus Labs recorded a sharp rise in scans of Fortinet equipment shortly after disclosure of a new vulnerability, consistent with attempts to find exploitable systems before patches were applied.

Using SOHO and IoT devices makes scanning traffic harder to distinguish from normal user activity and reduces the effectiveness of defenses based on IP reputation, geofencing or static blocklists. The distributed footprint lets operators fingerprint infrastructure and identify targets across networks while scattering the origin of scanning traffic.

Gabrielle Hempel, a security operations strategist at Exabeam, warned that established access provides options for later activity: “Persistent access provides intelligence collection opportunities today and potential disruption options tomorrow.” Hempel noted attackers focus on poorly maintained edge devices and slow patching rather than relying on rare zero-day flaws.

Black Lotus Labs advised organizations to install patches and security updates on routers, firewalls and IoT devices, reboot equipment regularly, and consider architectures such as Secure Access Service Edge (SASE) to reduce exposure. The lab also recommended following national security advisories and vendor guidance related to Volt Typhoon and other China-linked activity.

Security practitioners and Black Lotus Labs described JDY as a tool for reconnaissance and long-term access rather than immediate data theft. They urged network and security teams to maintain edge infrastructure and to use detection methods beyond simple IP-based blocking to find and disrupt distributed scanning campaigns.