Remember the KV-botnet? The U.S. government took it down in early 2024. But the operators behind it didn't disappear. They adapted.
Now a new report from Lumen's Black Lotus Labs warns of a JDY botnet resurgence and expansion. What started as a small cluster within KV has grown into an independent, high-performance reconnaissance network.
Today, JDY controls more than 1,500 compromised SOHO (small office and home office) routers, firewalls, and IoT devices. And it's feeding intelligence directly to Chinese state-sponsored hacking groups like Volt Typhoon.
What Is JDY?
The JDY botnet resurgence and expansion represents a shift in how Chinese threat actors conduct reconnaissance. JDY operates as a centrally controlled, high-performance scanner.
It does not deploy ransomware or directly steal data. Its function is to:
1. Find exposed service on a large-scale
2. Fingerprints devices and applications
3. Continuously maps internet-facing infrastructure
4. Feeds structured reconnaissance data into a larger ecosystem
Think of JDY as the lookout for a much bigger operation. It finds the vulnerabilities. Other actors exploit them.
Black Lotus Labs first flagged JDY as a cluster within the KV-botnet back in mid-December 2023. At that time, it was primarily used for broader scanning against internet targets. Chinese hacking groups like Volt Typhoon relied on it.
Then came the takedown.
Surviving the Takedown
When the U.S. government disrupted KV-botnet in early 2024, the second KV cluster largely went offline. But JDY's operators changed their behavior. They adapted.
The expansion and resurgence of the JDY botnet didn’t simply survive it thrived.
The number of bots on the JDY botnet grew from just around 650 at the beginning of January 2024 to approximately 1500 today, more than twice as many in just under two years!
Most of these hacked devices are located in the United States and Brazil, followed by Europe and Asia. Black Lotus Labs noted that the cluster in Brazil reflects a broader trend: "we're seeing more and more botnets made up of Brazilian victims these days."
From Cisco to Everything
The original JDY cluster primarily featured Cisco RV320 and RV325 routers. Those devices are still in the mix, but the JDY botnet resurgence and expansion has diversified significantly.
The botnet now includes devices from:
1. Araknis
2. Mimosa Networks
3. Ubiquiti
4. Draytek
5. Hikvision
6. Linksys
Why is diversity of devices important? Because it is difficult to block the botnet when multiple devices are being used to perform different types of scans. Most traditional defense measures are based upon the use of either IP address reputation systems, geographic blocking, or the use of a static list of blocked IP addresses.
However, JDY's operators utilize a mix of IP addresses to distribute their scanning activity, so that the same IP address is not marked as a scanner. And because they're using legitimate SOHO and IoT devices, the traffic blends in with normal user activity.
How JDY Works
The architecture behind the JDY botnet resurgence and expansion is layered and sophisticated.
Operators utilize Tor nodes for the operation of their hacked infrastructure that includes both command-and-control (C2) servers and payload servers. C2 servers control how the bots are directed to conduct targeted reconnaissance and system profiling as opposed to random open port scanning.
Examples of exploit or attack chains are often targeting new vulnerabilities that have just been disclosed on edge devices. One such vulnerability is CVE-2026-35616, where the exploit is a shell script dropper that checks to see if the device is already infected.
If it is not, it then downloads the primary payload to the device based on the type of processor (whether mips, mips64, mipsel, or mipsel64). Once installed, the malware will delete itself from disk.
Intelligent Scanning Based on Privileges
The JDY malware has a unique features in that it scans for other devices based on what level (root, admin, user, etc) of privileges/permissions it has been granted on the device that has been compromised:
1. If it has root permissions (able to open raw sockets), it will conduct a high-speed SYN scan with its own custom-designed TCP packets.
2. If raw sockets are unavailable or the task is a web scan: It falls back to standard TCP and TLS connections, or uses UDP and ICMP.
This flexibility ensures JDY can operate effectively whether it's running on a locked-down corporate firewall or a poorly secured home router.
Who Is Behind JDY?
The JDY botnet resurgence and expansion is linked to China-nexus state-sponsored threat actors. Specifically, Chinese hacking groups like Volt Typhoon use JDY's reconnaissance data.
Black Lotus Labs suspects the botnet is offered by its operators to various hacking outfits. The operators also carry out their own targeting. Either way, the result is the same: timely intelligence fed into a larger attack pipeline.
This is industrialized reconnaissance. When a new vulnerability is publicly disclosed, JDY can start scanning for vulnerable infrastructure within hours.
Why SOHO and IoT Devices?
You might wonder why attackers bother compromising small office routers and smart cameras. The answer is strategic.
A JDY botnet resurgence and expansion built on U.S.-based SOHO and IoT devices offers several advantages:
1. The ability to evade geofencing, as all of the traffic originates from IP addresses in the United States.
2. The ability to bypass reputation filters since no one IP generates enough traffic as to be subject to blocklisting.
3. The ability to blend in with legitimate traffic as all home office routers appear as if they belong to a home office router.
Attackers don't need powerful servers. They need thousands of modest devices distributed across the exact geographies they want to scan. JDY has exactly that.
What JDY Is Looking For
JDY conducts targeted scanning and service fingerprinting. It captures responses including TLS certificates and metadata. The goal is infrastructure reconnaissance, not immediate exploitation.
That reconnaissance data most likely informs:
1. Asset discovery pipelines
2. Vulnerability-targeting systems
3. Downstream exploitation frameworks
JDY finds the weak spots. Then other Chinese threat actors decide which ones to hit.
The Bigger Picture
The JDY botnet resurgence and expansion demonstrates something important about modern cyber conflict. Disrupting individual nodes or clusters doesn't eliminate the underlying capability. The capability persists. It adapts. And it continues to provide adversaries with timely targeting data, often within hours of a vulnerability disclosure.
Black Lotus Labs put it clearly: "JDY's evolution from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability."
What Can You Do?
If you manage a SOHO router, firewall, or IoT device, here's how to avoid becoming part of the JDY botnet resurgence and expansion:
1. Change default passwords. This is still the number one way devices get recruited.
2. Regularly update firmware. JDY utilizes new vulnerabilities that have been made public. There are patch files available for a purpose.
3. Disable WAN remote management. If you do not need WAN remote administration access, turn off the remote management.
4. Watch for unusual outbound traffic. Hacked devices usually signal back to C2 servers.
5. Segment IoT devices. Put them on a separate VLAN from your main network.
Conclusion
The JDY botnet resurgence and expansion is a quiet success story for Chinese state-sponsored hacking. A botnet that survived a government takedown, doubled in size, and now provides real-time reconnaissance to some of the most active threat actors on the planet.
JDY isn't stealing your files or encrypting your hard drive. It's doing something more dangerous: finding the next target before anyone knows there's a vulnerability.
And by the time you read about the breach, JDY has already moved on to the next scan.
FAQ Section
What is JDY?
JDY is a covert botnet composed of compromised SOHO and IoT devices. It performs targeted scanning and reconnaissance to support Chinese state-sponsored threat actors.
How big has the botnet got in regard to its growth & revival?
In today's world, the botnet JDY has control of more than 1,500 Compromised Devices, up from Approximately 650 in early 2024.
What type of devices will be recruited into JDY?
JDY has a wide range of devices that are compromised, including routers and devices produced by Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, Linksys and other manufacturers.
By whom is JDY being utilized?
SQL server hacks such as Volt Typhoon are utilizing data collected from JDY's reconnaissance scans to leverage potential targets for future exploitation against other hackers.
What is JDY's method of not being detected?
Using compromised devices located in the United States, the communications from JDY show up as legitimate, however, distribution of the scans across multiple IP addresses makes it nearly impossible to block.
Wasn't KV Botnet shut down?
The government of the United States successfully disrupted KV Botnet in 2024; however, through other means JDY survived and developed as a new, independent threat.
