China-nexus state-sponsored actors have scaled the JDY botnet to over 1,500 compromised SOHO and IoT devices, serving as a high-performance reconnaissance engine following the disruption of the KV-botnet. Targeting MIPS and MIPSEL Linux architectures, the botnet utilizes Tor-based C2 to orchestrate high-speed SYN scanning, banner grabbing, and TLS certificate collection. This infrastructure is primarily used for the industrialized mapping of U.S. military assets and critical infrastructure in the energy and defense sectors. By leveraging compromised edge devices from vendors like Cisco and Ubiquiti, actors mask malicious traffic within residential IP space to bypass geolocation and reputation-based filters during the preparation phase of the kill chain.
-
Campaign Architecture: Distributed Scaling
- Expanded from 650 bots in early 2024 to over 1,500 active nodes, with high concentrations in the United States and Brazil.
- Evolved from a sub-cluster of the disrupted KV-botnet into a standalone, high-performance framework for industrialized reconnaissance.
- Managed via Tor-based Command and Control (C2) infrastructure to anonymize operator origins and maintain persistence.
-
Targeted Infrastructure: Edge Device Exploitation
- Targets embedded Linux architectures across multiple vendors, including Cisco, Ubiquiti, Linksys, Hikvision, DrayTek, Araknis, and Mimosa Networks.
- Compromises a diverse array of edge hardware, specifically routers, firewalls, DVRs, and smart thermostats.
- Utilizes compromised residential IP space to blend malicious scanning traffic with legitimate home-user activity, evading traditional IP-reputation filters.
-
Technical Mechanics: Scanning & Fingerprinting
- Employs an adaptive scanning engine that prioritizes raw-packet SYN scanning for rapid port discovery upon obtaining necessary system privileges.
- Utilizes threaded TCP/TLS connections for secondary "deep" fingerprinting, extracting application banners and TLS certificates.
- Feeds structured reconnaissance data into a centralized triage ecosystem, allowing downstream APT groups to operationalize newly discovered vulnerabilities.
-
Threat Actor Attribution: China-Nexus TTPs
- Attributed to China-nexus actors, demonstrating significant operational overlap with Volt Typhoon and associated clusters like Voltzite.
- Employs "Living-off-the-Land" (LotL) strategies by repurposing legitimate SOHO hardware rather than deploying heavy, detectable malware.
- Maintains high resilience by pivoting quickly to the JDY framework following the 2024 U.S. government-led takedown of the KV-botnet.
-
Operational Impact: Strategic Asset Mapping
- Focuses on the "Preparation" phase of the cyber kill chain, specifically mapping U.S. military-affiliated networks and critical infrastructure (Energy, Oil & Gas).
- Aims to minimize the window between the public disclosure of a vulnerability and the identification of targetable, unpatched services.
- Provides a scalable mechanism for identifying high-value targets without triggering the alarms associated with data-center-based scanning.
-
Defensive Strategy: Hardening the Edge
- Disable all external-facing management interfaces (WMIs) on all SOHO and IoT devices to shrink the initial attack surface.
- Deploy behavioral analytics to detect high-volume, anomalous SYN scanning patterns originating from residential IP ranges toward critical internal assets.
- Implement Zero Trust architectures, mandating machine certificate verification and strict IP allow-lists for all remote access gateways.
Related posts
- feeds.feedburner.com — Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access
- microsoft.com — Kazuar: Anatomy of a nation-state botnet
- Wiu
- Niccs
- bleepingcomputer.com — Dutch govt disrupts malware botnet with 17 million infected devices
- Thehackernews
- Security Affairs — IoT Botnet C0XMO Adds Competitor-Killing Capability
- Threatlabsnews
- Exchange
- Securityaffairs
- Cyberinsider
- feeds.feedburner.com — China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
- The Record by Recorded Future — CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
- cybersecurity.pk — China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
- Bleepingcomputer
- Scworld
- Thenextweb
- Mallory
- Radar
- News4Hackers — China-Linked JDY Botnet Expands Targeting US Military Networks Cybersecurity Threats,
- gbhackers.com — Hackers Abuse VMware-Signed Binary to Deploy NIGHTFORGE Loader
- Infosecurity-magazine
- Ground
- Cybersecuritynews
- Lumen
- Lumen
- Bleepingcomputer
- cm-alliance.com — The Fall of SniperDz: Takedown of a Decade-Long Phishing Empire
- The Record by Recorded Future — British high school sends students home following cyberattack
- Blog
- Aiweekly
- Infosecurity-magazine
- feeds.feedburner.com — INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
- Itpro
- feeds.feedburner.com — China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
- nvidianews.nvidia.com — NVIDIA Blackwell Leads on First Agentic AI Infrastructure Benchmark
- Socdefenders
- Officeguardit
- Trendmicro
- Socprime
- Sepe
- Kucoin
- Hyper
- Aibriefwire
- Artificialanalysis
- bleepingcomputer.com — Chinese hackers hijack auth flow, spy on isolated network for a decade
- News4Hackers — Chinese Hackers Exploit Authentication Flaws to Spy on Isolated Networks for a Decade
- techjacksolutions.com — Velvet Ant APT: Decade-Long Persistence via Linux PAM and OpenSSH Hijacking in Air-Gapped Network
- Computerweekly
- Saudigazette
- Thenews
- Turkiyetoday
- Timesofindia
- En
- Today
- Jpost
- Cybernews
- Voiceofemirates
- Cypro
- Computing
- Hellorayo
- Bucksfreepress
- Gms
- cybersecurity.pk — China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
- Sygnia
- Secpod
- Thehackernews
- Redsecuretech
- Ccinfo
- gbhackers.com — Velvet Ant Hackers Backdoor OpenSSH and PAM to Spy on Critical Infrastructure Network
- News
- Medium
- Unit42
- Cybersecurity News — China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass
- The Record by Recorded Future — Cyberattack on Russian tech firm Astral disrupts business, government services for week
- techjacksolutions.com — Russia / Turla APT (FSB Center 16) — Vulnerability Rollup (2026-05-15)
- helpnetsecurity.com — China-linked spies backdoored authentication stack to stay hidden for years
- Cyberdaily
- En
- Gblock
- Breached
- Devdiscourse
- The420
- Retailbankerinternational
- Wanaen
- Iranintl
- News
- 1eska
- Secpost
- Buhexpert8
- M
- techjacksolutions.com — Secret Blizzard Rebuilds Kazuar as Autonomous P2P Botnet with Leader Election and 150-Option Evasion Engine
- Westoahu
- Xfe-integration
- Gbhackers
- Blog
- arXiv (Computer Science - Cryptography and Security) — Understanding the "Airport" Censorship Circumvention Ecosystem in China
- Malware News — Crypto most vulnerable sector with 83% of security leaders indicating exposure to at least one cybersecurity attack in the last 12 months
- bleepingcomputer.com — Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
- helpnetsecurity.com — Law enforcement hits SocGholish: 106 servers down, 15,000 sites cleaned
- Globalbankingandfinance
- Itpro
- Uk
- Securityboulevard
- Rusi
- techjacksolutions.com — UK Cyber Chief: Nation-States Now Drive 75% of Critical Infrastructure Attacks, AI Will Accelerate Exploitation by 2028
- techjacksolutions.com — NIST National Vulnerability Database (NVD) Expands to Include SSVC and "Affected" Information
- techjacksolutions.com — NCSC / UK Government (Strategic Intelligence) — Vulnerability Rollup (2026-06-18)
- Cryptonews
- SC Media — Law enforcement disrupts SocGholish botnet and Evil Corp servers
- Politie
- Proofpoint
- Hackread
- Cyberscoop
- Infosecurity-magazine
- Intelfusions
- Socdefenders
- Cydhaal
- App
- Threatclaw
- News