Summary Points
- The JDY botnet, now over 1,500 diverse IoT and SOHO devices primarily in the U.S. and Brazil, conducts high-volume, targeted scanning and fingerprinting to identify vulnerable infrastructure post-disclosure.
- It employs layered architecture, using Tor for command-and-control, and adapts scanning techniques based on system privileges, to evade detection and facilitate rapid vulnerability exploitation.
- Despite takedowns, JDY’s evolution into an autonomous reconnaissance tool illustrates persistent, adaptable threat capabilities that continuously provide real-time targeting intelligence to Chinese state-sponsored actors.
Threat Overview, Attack Techniques, and Targets
Cybersecurity researchers warn about the increasing activity of the JDY botnet, which is linked to China. The botnet has grown to include over 1,500 devices. It uses infected small office and home office (SOHO) routers and Internet of Things (IoT) devices. The main purpose of JDY is to scan and map internet-facing services on a large scale. It can identify vulnerable systems and gather detailed information for further attacks.
The attack method involves exploiting known vulnerabilities in edge devices, such as CVE-2026-35616. The malware checks if it is already running before downloading additional payloads tailored to the device’s architecture. Once active, the malware fingerprints the host device and performs high-volume network probes. These probes include TCP, SSL, UDP, and ICMP scans to gather response data like TLS certificates. The activity is mainly for reconnaissance, not immediate exploitation.
Most targeted devices are located in the U.S. and Brazil, followed by Europe and Asia. Previously, the botnet focused on Cisco routers, but now it includes devices from Araknis, Mimosa Networks, Ubiquiti, Hikvision, Draytek, and Linksys. The large number of U.S.-based devices allows the attackers to bypass many defense measures like geofencing and IP-based controls.
Impact, Security Implications, and Remediation Guidance
The JDY botnet is used for broad reconnaissance activities. Its expansion to over 1,500 devices means more extensive mapping of vulnerable internet infrastructure. Because it uses compromised devices across different regions and manufacturers, traditional defense methods are less effective. The activity creates a persistent security threat because the malware can adapt based on device privileges and network conditions.
This ongoing reconnaissance can lead to future attacks, including exploitation of vulnerabilities and targeted system attacks. The use of layered Tor infrastructure makes command and control communication hard to detect and disrupt.
To mitigate this threat, organizations should follow vendor-specific or authority-recommended remediation steps. This may include patching affected devices, changing default passwords, and monitoring network traffic for unusual activity. Since no detailed remediation guidance is provided here, it is recommended to consult security vendors or official sources for proper countermeasures.
Expand Your Tech Knowledge
Explore the future of technology with our detailed insights on Artificial Intelligence.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
