JDY botnet tops 1,500 devices used for covert scans

Lumen’s Black Lotus Labs reported that the JDY botnet has expanded to over 1,500 compromised small-office and home-office (SOHO) and Internet of Things (IoT) devices. Researchers traced JDY to a cluster inside the KV-botnet in December 2023 and say it became an independent reconnaissance network after a disruption of KV in early 2024.

The botnet grew from about 650 infected nodes in January 2024 to more than 1,500 devices by the time of the report. Most compromised endpoints are in the United States and Brazil, with additional infections in Europe and Asia.

Device types in the JDY network have diversified. Where the cluster once centered on Cisco RV320 and RV325 routers, infected hardware now includes Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision and Linksys equipment.

Operators use Tor nodes to manage command-and-control and payload infrastructure. Command servers instruct bots to perform targeted system profiling and service scans. Scan results, including TLS certificates and connection metadata, are sent to central servers for intelligence and follow-up targeting.

The attackers exploit recently disclosed edge-device vulnerabilities to install a shell-script dropper. The dropper checks whether the scanner is already present, then downloads a payload matched to the device processor (mips, mips64, mipsel, mipsel64). After launching the payload, the installer is removed from disk.

The JDY scanning module can perform high-volume TCP, SSL, UDP and ICMP probing and capture responses for fingerprinting. The scanner adjusts its method to the privileges available on the host: if raw sockets are available, it runs high-speed SYN scans with custom TCP packets; if not, it falls back to standard TCP/TLS connections or uses UDP and ICMP for web service and other scans.

Black Lotus Labs reported that JDY appears to feed structured reconnaissance data into a broader scanning ecosystem used by multiple actors, including Chinese state-linked groups such as Volt Typhoon. The wide distribution of U.S.-based SOHO and IoT IP addresses helps the operators avoid geofencing, IP-reputation blocks and static blocklists by blending scanning traffic with normal user traffic.

The report describes JDY as a reconnaissance capability rather than a direct exploitation toolkit. Its outputs are likely used for asset discovery and vulnerability-targeting pipelines that support downstream exploitation or attack orchestration. The researchers noted that disrupting individual nodes or clusters has not removed the underlying capability.