China-Nexus JDY Botnet Expands SOHO/IoT Infrastructure for Targeted Reconnaissance
China-nexus state-sponsored actors have scaled the JDY botnet to over 1,500 compromised SOHO and IoT devices, serving as a high-performance reconnaissance engine following the disruption of the KV-botnet. Targeting MIPS and MIPSEL Linux architectures, the botnet utilizes Tor-based C2 to orchestrate high-speed SYN scanning, banner grabbing, and TLS certificate collection. This infrastructure is primarily used for the industrialized mapping of U.S. military assets and critical infrastructure in the energy and defense sectors. By leveraging compromised edge devices from vendors like Cisco and Ubiquiti, actors mask malicious traffic within residential IP space to bypass geolocation and reputation-based filters during the preparation phase of the kill chain.