JDY Botnet Resurges: China-Nexus IoT Army Hunts New Vulnerabilities Within Hours

A covert reconnaissance network tied to Chinese state-backed hackers is back and bigger than before. Researchers at Black Lotus Labs have tracked a resurgence of the JDY botnet, a China-nexus network of compromised home and small-office devices. According to the team, the botnet now scans the internet for fresh vulnerabilities almost as soon as they are disclosed.

From takedown to comeback

The JDY botnet is not new. It began as one cluster of the larger KV-botnet, which U.S. authorities disrupted between late 2023 and early 2024. That takedown crippled the KV cluster, yet the JDY cluster survived.

In fact, it has thrived since. Black Lotus Labs reports that JDY shrank to roughly 650 bots in January 2024. Today, however, the botnet spans more than 1,500 compromised devices. In other words, it has more than doubled in size. Most of those devices sit in the United States, while others are scattered across Europe, Asia, and the Americas.

A bigger, more diverse device base

Earlier, the JDY cluster relied on just two Cisco router models. Now its victim base is far broader. Compromised gear comes from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys.

This diversity gives the operators a powerful edge. Because so many bots are legitimate U.S. devices, the JDY botnet blends into normal traffic. Consequently, geofencing, IP reputation filters, and static blocklists struggle to catch it. By spreading scans across thousands of addresses, no single IP looks like an obvious scanner.

Reconnaissance built for speed

At its heart, the JDY botnet is a distributed scanning machine. Operators run it through hidden Tor services that mask both the control and payload servers. From there, the bots perform multiprotocol scans that grab service banners, TLS certificates, and other fingerprints. Some devices are also managed with Platypus, an open-source reverse-shell tool, and the command channel runs almost around the clock.

The scanning is targeted, not random. Black Lotus Labs found a clear focus on military-related networks, with U.S. military entities the most prominent targets. Most strikingly, the operators ramped up scans of Fortinet devices right after a new flaw, CVE-2026-35616, went public.

That timing is the whole point. As the researchers put it, the activity delivers targeting data “within hours of vulnerability disclosure.” Therefore, exposed devices face probing before many defenders can even patch.

Inside the malware

The JDY malware is a Linux scanning agent built for MIPS-based routers and embedded systems. These are exactly the devices where security monitoring is weakest. A lightweight dropper script checks the device architecture, fetches the matching payload, and launches it before wiping itself from disk.

Once running, the malware beacons to a central “dispatch service” and pulls scanning tasks on demand. Rather than hard-coding targets, it receives encrypted instructions and updated fingerprinting rules. As a result, the operators can retune the entire fleet on the fly.

The scanner also adapts to its privileges. With root access, it launches fast, stealthy SYN scans. Otherwise, it falls back to slower TCP and TLS connections that still harvest rich data. Either way, it ships compressed results back to the C2 for analysis.

Why it matters

The JDY botnet shows how nation-state crews now treat reconnaissance as a scalable weapon. By mapping the internet continuously, they can pounce on vulnerable systems the moment a bug appears.

The persistence is the alarming part. Black Lotus Labs warns that “disruption of individual nodes or clusters does not eliminate the underlying capability.” In short, knocking out a few bots does not kill the threat.

You can read the full Black Lotus Labs analysis of the JDY botnet for indicators and mitigation steps. Above all, patch edge devices quickly, replace end-of-life routers, and follow current NCSC guidance on defending against China-nexus covert networks. Because once a vulnerability is public, the JDY botnet may already be looking for you.