Full Report
Cybersecurity researchers have warned of a "resurgence and expansion" of JDY, a covert network associated with China-nexus state-sponsored threat actors. "The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale," Lumen's
Analysis Summary
# Threat Actor: JDY (KV-Botnet Cluster)
## Attribution & Identity
- **Actor Name:** JDY
- **Associated Groups:** China-nexus state-sponsored threat actors; specifically linked to **Volt Typhoon**.
- **Known Associations:** Originally identified as a sub-cluster within the **KV-botnet** (which was dismantled by the U.S. government in early 2024).
- **Identity:** Operates as a "botnet-as-a-service" or a specialized reconnaissance cooperative that feeds intelligence to various Chinese hacking outfits.
## Activity Summary
- **Resurgence and Expansion (2026):** After the initial KV-botnet takedown, JDY has resurfaced with significant growth, expanding from 650 nodes in early 2024 to over 1,500 active devices.
- **Industrialized Reconnaissance:** The actor is currently conducting large-scale, automated scanning and service fingerprinting to identify vulnerable edge infrastructure following public vulnerability disclosures (N-day exploitation).
## Tactics, Techniques & Procedures
- **Stealth & Evasion:** Uses compromised SOHO/IoT devices to blend in with legitimate traffic and bypass geofencing, IP reputation filters, and static blocklists.
- **Multi-Layered Architecture:** Management of infrastructure (C2 and payload servers) is routed through the **Tor** network.
- **Scanning Capabilities:**
- High-performance TCP, SSL, UDP, and ICMP-assisted probing.
- **SYN Scanning:** Initiates high-speed SYN scans if root privileges (raw socket access) are obtained on the infected host.
- **Vulnerability Weaponization:** Leverages newly disclosed vulnerabilities in edge devices (e.g., CVE-2026-35616).
- **Execution:** Uses shell script droppers to check for existing infections before downloading architecture-specific payloads (MIPS, ARM, etc.). The malware is typically deleted from the disk after execution to minimize the forensic footprint.
- **MITRE ATT&CK IDs (Inferred from context):**
- T1595: Active Scanning
- T1201: Network Service Scanning
- T1090.003: Multi-hop Proxy (Tor)
- T1190: Exploit Public-Facing Application
## Targeting
- **Sectors:** Primarily targets SOHO (Small Office Home Office) and IoT devices to build infrastructure; the second-stage targets are broad, aimed at any organization with exposed, vulnerable edge services.
- **Geography:**
- **Host Nodes:** Dominantly located in the **U.S.** and **Brazil**, followed by **Europe** and **Asia**.
- **Victims:** General internet-facing services; the botnet's goal is to map exposed services across the globe for follow-on exploitation by other state-sponsored groups.
## Tools & Infrastructure
- **Malware:**
- **JDY Payload:** A high-performance scanner designed for system profiling and fingerprinting.
- **Shell Script Dropper:** Architecture-aware downloader (mips, mips64, mipsel, mipsel64).
- **Infected Infrastructure:**
- Cisco RV320/RV325 routers.
- Devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
- **C2 & Paywalls:** Managed via Tor nodes to hide the true origin of the operators.
## Implications
The JDY botnet represents an "industrialized" phase of Chinese cyber operations. By decoupling reconnaissance from exploitation, threat actors like Volt Typhoon can maintain a massive, updated map of global vulnerabilities. The use of U.S.-based residential and small business IPs makes traditional defensive measures (like IP blocking) largely ineffective, allowing the actors to "live off the land" at the network layer.
## Mitigations
- **Patch Management:** Rapidly patch edge devices (routers, firewalls, IoT) against public CVEs, specifically focusing on the mentioned vulnerability CVE-2026-35616.
- **Device Hardening:** Disable unnecessary remote management interfaces on SOHO and IoT devices.
- **Anomaly Detection:** Monitor for unusual outbound traffic patterns from IoT devices, particularly high volumes of SYN packets or connections to the Tor network.
- **Zero Trust:** Move away from simple IP-based trust models, as JDY uses "clean" residential IPs to mask activity.