China-Linked JDY Botnet Expands Targeting US Military Networks Cybersecurity Threats,

Post Views: 5

China-linked JDY botnet expands targeting of U.S. military networks

Evolution of JDY

The JDY botnet, a malware network linked to Chinese threat actors including Volt Typhoon, has broadened its focus on U.S. military infrastructure and related systems. Researchers at Black Lotus Labs, part of Lumen, have tracked the evolution of this network, which has shifted from a smaller-scale operation to a more sophisticated reconnaissance tool.

The firm reports that JDY now prioritizes the United States, where a significant portion of its compromised devices are located and where it conducts extensive scanning of military and affiliated networks. The botnet’s scale has grown from approximately 650 active nodes in January 2024 to over 1,500 infected small office home office (SOHO) and Internet of Things (IoT) devices as of 2026.

Operational Approach

While this number appears modest, JDY operates differently from traditional botnets. Instead of relying on large-scale exploitation or distributed denial-of-service (DDoS) capabilities, it functions as a distributed scanning and reconnaissance network. This approach enables operators to identify systems vulnerable to newly disclosed security flaws, allowing them to exploit weaknesses rapidly.

Technical Capabilities

Black Lotus Labs analysis indicates that JDY’s activities align with the tactics of advanced persistent threat (APT) groups linked to China. The report highlights that the botnet’s focus on U.S. military networks is particularly concerning, as it suggests a strategic effort to map infrastructure susceptible to future attacks.

The firm notes that JDY’s operations span multiple sectors, but military and defense-related entities remain the primary targets. The botnet’s technical capabilities include service discovery, banner grabbing, TLS certificate collection, protocol fingerprinting, and vulnerability-specific reconnaissance.

Compromised Devices and Vulnerabilities

Compromised devices include models from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, targeting architectures such as MIPS, MIPS64, MIPSEL, and MIPSEL64. Researchers observed JDY scanning for CVE-2026-35616, a vulnerability disclosed by Fortinet in FortiClient EMS, shortly after its public release.

Control and Infrastructure

Control of the botnet is managed through hidden Tor services, which act as command-and-control (C2) infrastructure. In some instances, the open-source Platypus framework is used for reverse-shell and host management tasks. The scanning module supports TCP, SSL/TLS, UDP, and ICMP protocols, along with banner and TLS certificate harvesting.

Scanning Functionality

It employs downloadable rule sets for service fingerprinting and operates in a continuous cycle until instructed otherwise. A notable technical feature of JDY is its TCP scanning functionality, which becomes more efficient when the malware gains elevated privileges. Researchers observed that JDY uses raw SYN scanning via custom-crafted TCP packets when it can access raw sockets, typically requiring administrative or root-level access.

These packets utilize a fixed source port of 19000, iterate through destination ports sequentially, and process thousands of targets in batches.

Recommendations for Organizations

The report underscores the need for organizations to address vulnerabilities in network devices, particularly SOHO routers and IoT systems. Recommendations include applying security patches, disabling unnecessary internet-facing administrative interfaces, restricting remote management access, and monitoring for anomalous outbound scanning activity.

As JDY’s activities intensify, cybersecurity teams must prioritize proactive measures to mitigate risks. This includes regular firmware updates, credential management, and network segmentation to limit potential attack vectors. The botnet’s ability to exploit newly disclosed flaws highlights the importance of rapid response to security advisories and continuous threat intelligence monitoring.

According to Black Lotus Labs, “JDY’s focus on U.S. military networks is particularly concerning, as it suggests a strategic effort to map infrastructure susceptible to future attacks.”