EXECUTIVE SUMMARY
The JDY botnet is operated by a China‐nexus advanced persistent threat group that has previously been linked to the Volt Typhoon campaign. It is a large‐scale reconnaissance network that co‐opts small‐office, home‐office and Internet‐of‐Things devices to conduct automated scanning. The infrastructure spans the United States, Europe and Asia, with a heavy concentration of compromised devices in the United States. The actors focus on military‐related networks and critical‐infrastructure sectors, using the collected service fingerprints to enable rapid exploitation of newly disclosed vulnerabilities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The JDY botnet is operated by a China‐nexus advanced persistent threat group that has previously been linked to the Volt Typhoon campaign. It is a large‐scale reconnaissance network that co‐opts small‐office, home‐office and Internet‐of‐Things devices to conduct automated scanning. The infrastructure spans the United States, Europe and Asia, with a heavy concentration of compromised devices in the United States. The actors focus on military‐related networks and critical‐infrastructure sectors, using the collected service fingerprints to enable rapid exploitation of newly disclosed vulnerabilities.[emaillocker id="1283"]
Compromised SOHO routers, firewalls and IoT cameras are initially infected through default credentials or unpatched firmware, allowing the malware to establish a persistent foothold. Once active, each device runs a lightweight scanning engine that probes TCP, UDP, SSL and ICMP services, gathers banners and TLS certificates, and reports structured results to a hidden command‐and‐control server. Communication is routed through anonymising relays, masking the origin of the traffic. The C2 periodically pushes new scanning tasks, enabling the botnet to pivot quickly toward fresh vulnerability disclosures and maintain continuous reconnaissance coverage.
The JDY botnet matters because its distributed nature blends malicious scanning with legitimate home‐user traffic, making traditional IP‐based blocks ineffective and increasing the chance of missed detections. Its use of anonymised channels and low‐profile payloads hampers incident response, while the rapid turnaround from discovery to exploitation shortens the window for patching vulnerable assets. Organisations should enforce strong authentication on all edge devices, apply firmware updates promptly, and isolate IoT segments from core networks. Continuous monitoring for unusual scanning patterns, coupled with robust backup and endpoint protection, reduces the risk of compromise and limits impact.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1046 | Network Service Discovery | — |
| Resource Development | T1583.002 | Acquire Infrastructure | DNS Server |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Command and Control | T1090.002 | Proxy | External Proxy |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
RECOMMENDATIONS:
REFERENCES:
reports contain further technical details:
https://securityonline.info/jdy-botnet-iot-soho/
https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation