Black Lotus Labs® recently identified a significant resurgence of the JDY botnet, a covert reconnaissance network tied to China-nexus threat activity. In this report, we examine how the botnet has expanded its footprint, diversified its device base and enabled rapid vulnerability targeting, giving defenders important insight into how modern reconnaissance supports subsequent exploitation.
Key findings
- Black Lotus Labs has identified a resurgence and expansion of the JDY botnet, a covert network linked to Chinese nation-state-backed actors, including Volt Typhoon.
- The JDY botnet comprises over 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices. It operates as a centrally controlled, high-performance scanner used to discover, fingerprint and continuously map exposed services at scale.
- The IoT-based malware affects a wider array of devices and feeds structured reconnaissance data into a larger scanning ecosystem for subsequent triage, target identification and exploitation.
- JDY demonstrates how IoT and SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation.
- Black Lotus Labs recommends implementing recent U.K. National Cyber Security Centre (NCSC) guidance on defending against China-nexus covert networks of compromised devices.
This article provides a detailed overview of how Black Lotus Labs tracked the botnet’s evolution, why it matters to defenders and how enterprise security teams can respond to minimize the threat to their organizations.
Research overview
In December 2023, Black Lotus Labs unveiled KV-botnet, a covert network of thousands of SOHO routers and firewall devices used by China-based APTs, most notably Volt Typhoon, to conduct espionage and intelligence operations targeting U.S. critical infrastructure.
At the time, the botnet consisted of four clusters. The primary focus was on the “KV cluster,” used as a covert data transfer network, and the “JDY cluster,” used for scanning and reconnaissance. The KV cluster became largely defunct following public disclosure and U.S. government takedown efforts from late 2023 to early 2024. Despite these setbacks, the JDY cluster remained an active threat and is the focus of this report.
Since the initial disclosure, the JDY botnet surged to more than 1,500 compromised SOHO and IoT devices actively conducting targeted scanning and service fingerprinting. Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors. This targeted focus has been observed across a range of sectors, with the U.S. military and associated entities as the most prominent.
Background and context
Black Lotus Labs monitors the rapidly growing trend of APT actors operating through botnets and other large networks of compromised consumer devices, sometimes referred to as covert networks or operational relay box (ORB) networks. These covert networks have become a foundational component of modern nation-state cyber operations, enabling adversaries to blend malicious activity into legitimate traffic while maintaining global reach and persistence.
We have closely tracked the evolution of this tradecraft, including the emergence of purpose-built reconnaissance infrastructure, as described in our report on Raptor Train. These networks are designed to systematically discover and fingerprint exposed services and vulnerable systems across the internet. One such capability is the JDY botnet.
JDY’s growth and continued operation illustrate how modern reconnaissance networks persist despite takedowns and adapt as a durable capability within a broader adversary ecosystem. Understanding the botnet's structure, scalability and reconnaissance capabilities is essential for defenders to detect early signs of scanning and minimize risks before exploitation.
How the JDY botnet enables network reconnaissance and vulnerability exploitation
The JDY botnet has more than doubled in size since the U.S. government takedown efforts against the KV cluster. In January 2024, the low point of JDY activity, we observed approximately 650 bots communicating with the JDY command-and-control (C2) servers. Today, the JDY botnet comprises more than 1,500 compromised devices actively conducting scanning and reconnaissance. These devices are physically located throughout Europe, Asia and the Americas, with the majority located in the United States.
In addition to expanding in size, the botnet has diversified its victim base. Previously, the JDY cluster was comprised exclusively of two Cisco router models: RV320 and RV325. Today, the bots that make up this network include many compromised SOHO and IoT devices from manufacturers such as Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision and Linksys.
The botnet’s large number of U.S.-based SOHO and IoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection and static blocklists. By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked. Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.
Reconnaissance fuels China-nexus APT exploitation efforts
The JDY botnet operates through a layered architecture. Operators manage infected infrastructure through concealed Tor nodes that obfuscate access to both C2 and payload servers. The C2 systems direct bot devices to perform widespread multiprotocol scans that collect service and banner details and TLS certificates while conducting vulnerability-focused reconnaissance. Results are sent to central servers for low-profile, continuous intelligence gathering that aids China-nexus threat actors.
Black Lotus Labs found that JDY botnet operators target specific devices for scanning and reconnaissance, rather than conducting widespread, indiscriminate scanning. Most notably, there was a selective increase in scans of Fortinet equipment immediately after the disclosure of a new vulnerability, indicating the ability and intent to find and exploit vulnerable devices before patches are widely applied.
We also assess that the JDY botnet likely continues to support the efforts of various China-nexus APT actors based on its previous links to the KV-botnet and sustained targeting and victimology patterns. Rather than draw attention by scanning the entire internet, JDY’s activity indicates a clear focus on military-related targets. Of the IP addresses JDY scanned, most were associated with networks owned by the U.S. military and associated entities.
Botnet Infrastructure and obfuscated command-and-control
Upstream communications show ongoing management via hidden Tor services. Command and control is highly automated and nearly constant, with increased activity during botnet growth. Some victim devices are also managed using Platypus, an open-source reverse shell and host management tool. The JDY botnet payload server, 149.248.3[.]38, is hosting a Platypus server on port 13339, the default port used to download Platypus agents (also called Termite clients) to target endpoints.
JDY malware analysis: distributed scanning and reconnaissance toolkit
Black Lotus Labs obtained several samples of the JDY botnet malware, which is a distributed scanning and target reconnaissance tool designed to:
- Receive scanning tasks from a centralized C2 (Dispatch Service).
- Perform high-volume TCP, UDP, SSL and ICMP‑assisted probing.
- Interrogate and capture banners, protocol metadata, TLS details and service fingerprints.
- Report structured scan results back to the C2 for aggregation and analysis.
The JDY malware focuses on infrastructure reconnaissance rather than exploiting targets, which likely supports follow-on asset discovery, vulnerability-targeting pipelines and downstream exploitation or attack-orchestration systems.
The JDY dropper
The dropper for the JDY payload is a lightweight bash script that walks through the following workflow to download and execute the malware on compromised SOHO and IoT devices:
- Query the running process list to determine whether the malware is already active, using a variable process name (auditdy).
- If a running instance is detected, ensure the corresponding file on disk is removed then exit.
- Determine the device architecture by probing available system utilities and parsing command output (using variations of hexdump, read, dd, awk or similar).
- Download the appropriate payload from a variable payload server using available tooling (busybox, curl, wget, or wget‑ssl), selecting the binary based on the detected architecture (mips, mips64, mipsel, mipsel64).
- Write the payload to /etc/ or /tmp/ (depending on disk space and permissions), set execute permissions, launch the malware with a variable C2 IP and group ID supplied via command‑line arguments, and then delete the payload from disk.
JDY malware
The malware samples we obtained were a Linux-based scanning agent built for MIPS, MIPS64 and MIPSEL architectures, processor types commonly found in routers, network appliances and embedded systems. These architectures suggest that the malware is intended for routers and edge devices where monitoring and endpoint protection are limited.
At a high level, the malware’s workflow follows a seven-step process:
- Initializes and fingerprints the host
- Sends a beacon to dispatch service with probe metadata
- Receives scanning configuration and tasks
- Executes large-scale internet scanning tasks
- Collects responses (banners, TLS certs, metadata)
- Compresses and delivers results to dispatch service
- Repeats the process until explicitly told to exit
Once executed, the malware begins by initializing several variables, including a hardcoded malware version (in this case, 1.8.3.9), hardcoded architecture and a unique “probe_id,” which is computed by MD5 hashing system-specific information. It then checks that the required command line arguments are supplied and displays usage instructions if they are not:
usage:%s -g <group_id> -s <web_ip> [-l local_ip] [-c 0/1 check ports; default 1]
These command line arguments include a group ID, used for logical clustering on the backend; a remote server address, which functions as the C2 address; and optional flags to specify whether port scanning is enabled.
C2 communications via the dispatch service
After parsing and storing the command line arguments, the malware starts a new thread to process the C2 communications. The initial check-in beacon is sent encrypted via an HTTPS POST request to the remote server address supplied via command line at the path /dispatch_service/v2/probe_status. The message includes a structured JSON payload containing the following information:
- Operating system and kernel details
- Architecture type
- System uptime
- Malware version
- Unique probe_id and group ID
- Uptime
- Memory statistics
- Task counters and failure rates
Rather than hard-coding targets, the malware retrieves tasks from its C2 infrastructure dynamically via the dispatch service. The dispatch service uses encrypted tasking, where responses are base64 decoded, decrypted using a hardcoded AES key (0000000000000000bdb718bdf47cbcde), and parsed as structured JSON. The malware retrieves this tasking by sending a GET request to the following endpoint:
/dispatch_service/v2/probe_task/%s?ip=%s&code=%s&v=%s&gid=%d&status=%u
Supported commands include:
- Exit: Terminate execution immediately.
- report_status: Update runtime configuration (timeouts, thread counts, scan intervals).
- update_dmap_fp_db: Download updated fingerprinting rules.
Fingerprinting rules
When instructed to update its fingerprint rule database via the update_dmap_fp_db command, the malware downloads a set of protocol-specific matching rules. These rules define:
- Transport type (TCP, UDP, SSL)
- Ports to scan
- Expected request/response patterns
- Regular expressions for banner matching
These rules turn the scanner into a sophisticated fingerprinting system capable of identifying specific services and protocols beyond simple “open/closed” port scan results. The malware issues a request to /dispatch/v2/dmap/<hex from dmp_fp_digest> and receives a response from the Dispatch Service. The response includes rules like the one below, which identifies Oracle WebLogic servers:
[
{
"tunnel": "tcp",
"transfer": "","protocol": "weblogic","port": "7001","req": "t3 10.0.0\\nAS:7777\\nHL:18\\n\\n","rsp": "^HELO:[\\d]+(?:\\.[\\d]+)+[\\.a-z]*\\nAS:[012345689]+\\nHL:[\\d]+","mod": 4,"loop": 1,"rarity": 0,"customizable": 0
},
]
Adaptive scanning engine
One of the most interesting components of malware is its scanning system, which adapts based on the malware’s privileges on the local system.
Raw packet scanning: preferred method
If the malware can open a raw socket, which generally requires root or administrative privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. These custom packets use a fixed source port of 19000, increment the destination ports one at a time, and batch-process thousands of scan targets. This method enables fast port discovery without completing TCP handshakes, reducing noise, and avoiding application-level logging on targets.
Standard TCP and SSL scanning: fallback method
If raw sockets are unavailable or if the task is a web scan, the malware falls back to standard TCP and TLS connections, executed in parallel worker threads. While slower, this method allows the malware to gather richer data through other core functionality, including information on application banners, SSL/TLS versions, certificate metadata, domain resolutions and HTTP responses and redirects.
UDP and ICMP scanning
The scanning engine also supports UDP-based scanning and ICMP echo requests (ping), particularly for HTTP services. In one notable case, if the supplied destination port is 80, the malware will first send a crafted ping to the target with a hardcoded ICMP packet identifier (19037) and sequence number (35765). Responsive hosts are then scanned using the standard TCP scanning function to capture HTTP responses.
Reporting results back to the C2
As scan results accumulate and meet either a threshold count or a set time interval, the malware packages them into compressed JSON bundles. Included in the JSON bundle is a list of scan results, one per IP and port combination. The resulting data that is returned to the dispatch service includes the following fields:
- IP and port
- TCP TTL
- Protocol and tunnel type
- Base64‑encoded service banners
- TLS versions
- TLS certificates
- Domains
- URLs
- Redirect paths
The resulting JSON data for a banner grabbing task is structured like the example below:
{
"prober": {
"v": "<version>",
"ip": "<probe_ip>",
"mac": "<probe_id>"
},
"task": {
"v": <task_version>
},
"task_list": [
{
"task_id": "<task_identifier>",
"banner_list": [
{
"ip": "192.168.1.100",
"port": 443,
"syn_ttl": 64,
"tunnel": "ssl",
"protocol": "https",
"banner": "SFRUUC8xLjEgMjAwIE9LD...", // base64
"ssl_ver": "TLSv1.3",
"cert": "MIIFazCCBFOgAwIBAgISA+...", // base64
"domain": "example.com",
"url": "/api/v1/status",
"banner_redirect": [
{
"banner": "SFRUUC8xLjEgMzAxIE1vdmVkIFBlcm1hb...",
"url": "https://www.example.com/api/v1/status",
"domain": "www.example.com"
}
}
}
]
}
The JSON data is compressed and sent encrypted via HTTP POST request to the C2 at the path /data/v2/pscan with the filename “attr.json”. This periodic push of compressed results that is distributed across thousands of nodes strongly favors high throughput for targeted scans, while maintaining minimal latency and low to moderate impact to the infected device performance.
JDY’s expansion shows how reconnaissance drives rapid exploitation
The expansion of the JDY botnet underscores how China‑nexus threat actors are scaling reconnaissance as a core enabler of exploitation. By distributing scanning and fingerprinting across thousands of compromised SOHO and IoT devices, operators can rapidly identify vulnerable infrastructure and targets of interest while evading traditional, IP‑based defenses.
JDY’s evolution from a supporting component of the KV‑botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.
Black Lotus Labs will continue tracking the JDY botnet and related covert networks, sharing intelligence with partners, and integrating detections into Lumen DefenderSM to help reduce risk across enterprise, government and critical infrastructure environments.
How security teams can respond to covert scanning and exploitation risk
The JDY botnet underscores the risk of relying on traditional IP-based security controls such as geofencing, IP reputation-based detection, and static blocklists. The large number of U.S.-based SOHO and IoT devices that comprise the botnet allows operators to blend in with legitimate user traffic, making malicious scanning and reconnaissance activity harder to detect.
For network defenders, staying ahead of advanced actors requires integrating threat intelligence to track covert networks and other malicious infrastructure. At Black Lotus Labs, we have monitored the JDY botnet since 2022 and continue to add new IOCs to Lumen DefenderSM to protect our customers.
We recommend that enterprises:
- Implement CISA and NCSC guidance for mitigating Volt Typhoon activity and defending against China-nexus covert networks of compromised devices.
- Adopt comprehensive Secure Access Service Edge (SASE) or similar solutions to reduce external attack surface.
- Follow best practices for routers, firewalls and IoT devices, such as regularly rebooting and installing security updates and patches.
Explore additional threat resources
Review these current IOCs and visit our GitHub page, which we update continuously.
For broader threat protection and insights, explore these resources:
- Learn how we help protect customers with Lumen DefenderSM.
- Read the Lumen Defender Threatscape Report to understand how modern cyber threats are evolving.
- Collaborate with us on similar research by reaching out on LinkedIn or X (@BlackLotusLabs).
Analysis of the JDY botnet was performed by Ian Goldin, Michael Horka and Steve Rudd, with technical editing by Ryan English.
Discover how Black Lotus Labs uncovers and tracks botnets like JDY to protect your organization from covert scanning and exploitation.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available everywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. © 2026 Lumen Technologies. All Rights Reserved.