← Back to Daily Briefing

China-nexus state-sponsored actors have scaled the JDY botnet to over 1,500 compromised SOHO and IoT devices, serving as a high-performance reconnaissance engine following the disruption of the KV-botnet. Targeting MIPS and MIPSEL Linux architectures, the botnet utilizes Tor-based C2 to orchestrate high-speed SYN scanning, banner grabbing, and TLS certificate collection. This infrastructure is primarily used for the industrialized mapping of U.S. military assets and critical infrastructure in the energy and defense sectors. By leveraging compromised edge devices from vendors like Cisco and Ubiquiti, actors mask malicious traffic within residential IP space to bypass geolocation and reputation-based filters during the preparation phase of the kill chain.

  • Campaign Architecture: Distributed Scaling

    • Expanded from 650 bots in early 2024 to over 1,500 active nodes, with high concentrations in the United States and Brazil.
    • Evolved from a sub-cluster of the disrupted KV-botnet into a standalone, high-performance framework for industrialized reconnaissance.
    • Managed via Tor-based Command and Control (C2) infrastructure to anonymize operator origins and maintain persistence.
  • Targeted Infrastructure: Edge Device Exploitation

    • Targets embedded Linux architectures across multiple vendors, including Cisco, Ubiquiti, Linksys, Hikvision, DrayTek, Araknis, and Mimosa Networks.
    • Compromises a diverse array of edge hardware, specifically routers, firewalls, DVRs, and smart thermostats.
    • Utilizes compromised residential IP space to blend malicious scanning traffic with legitimate home-user activity, evading traditional IP-reputation filters.
  • Technical Mechanics: Scanning & Fingerprinting

    • Employs an adaptive scanning engine that prioritizes raw-packet SYN scanning for rapid port discovery upon obtaining necessary system privileges.
    • Utilizes threaded TCP/TLS connections for secondary "deep" fingerprinting, extracting application banners and TLS certificates.
    • Feeds structured reconnaissance data into a centralized triage ecosystem, allowing downstream APT groups to operationalize newly discovered vulnerabilities.
  • Threat Actor Attribution: China-Nexus TTPs

    • Attributed to China-nexus actors, demonstrating significant operational overlap with Volt Typhoon and associated clusters like Voltzite.
    • Employs "Living-off-the-Land" (LotL) strategies by repurposing legitimate SOHO hardware rather than deploying heavy, detectable malware.
    • Maintains high resilience by pivoting quickly to the JDY framework following the 2024 U.S. government-led takedown of the KV-botnet.
  • Operational Impact: Strategic Asset Mapping

    • Focuses on the "Preparation" phase of the cyber kill chain, specifically mapping U.S. military-affiliated networks and critical infrastructure (Energy, Oil & Gas).
    • Aims to minimize the window between the public disclosure of a vulnerability and the identification of targetable, unpatched services.
    • Provides a scalable mechanism for identifying high-value targets without triggering the alarms associated with data-center-based scanning.
  • Defensive Strategy: Hardening the Edge

    • Disable all external-facing management interfaces (WMIs) on all SOHO and IoT devices to shrink the initial attack surface.
    • Deploy behavioral analytics to detect high-volume, anomalous SYN scanning patterns originating from residential IP ranges toward critical internal assets.
    • Implement Zero Trust architectures, mandating machine certificate verification and strict IP allow-lists for all remote access gateways.

Related posts

  1. feeds.feedburner.com — Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access
  2. microsoft.com — Kazuar: Anatomy of a nation-state botnet
  3. Wiu
  4. Niccs
  5. bleepingcomputer.com — Dutch govt disrupts malware botnet with 17 million infected devices
  6. Thehackernews
  7. Security Affairs — IoT Botnet C0XMO Adds Competitor-Killing Capability
  8. Threatlabsnews
  9. Exchange
  10. Securityaffairs
  11. Cyberinsider
  12. feeds.feedburner.com — China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
  13. The Record by Recorded Future — CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
  14. cybersecurity.pk — China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
  15. Bleepingcomputer
  16. Scworld
  17. Thenextweb
  18. Mallory
  19. Reddit
  20. Reddit
  21. Radar
  22. News4Hackers — China-Linked JDY Botnet Expands Targeting US Military Networks Cybersecurity Threats,
  23. gbhackers.com — Hackers Abuse VMware-Signed Binary to Deploy NIGHTFORGE Loader
  24. Infosecurity-magazine
  25. Ground
  26. Cybersecuritynews
  27. Lumen
  28. Lumen
  29. Bleepingcomputer
  30. cm-alliance.com — The Fall of SniperDz: Takedown of a Decade-Long Phishing Empire
  31. The Record by Recorded Future — British high school sends students home following cyberattack
  32. Blog
  33. Aiweekly
  34. Infosecurity-magazine
  35. feeds.feedburner.com — INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
  36. Itpro
  37. feeds.feedburner.com — China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
  38. nvidianews.nvidia.com — NVIDIA Blackwell Leads on First Agentic AI Infrastructure Benchmark
  39. Socdefenders
  40. Officeguardit
  41. Trendmicro
  42. Socprime
  43. Sepe
  44. Kucoin
  45. Hyper
  46. Aibriefwire
  47. Artificialanalysis
  48. bleepingcomputer.com — Chinese hackers hijack auth flow, spy on isolated network for a decade
  49. News4Hackers — Chinese Hackers Exploit Authentication Flaws to Spy on Isolated Networks for a Decade
  50. techjacksolutions.com — Velvet Ant APT: Decade-Long Persistence via Linux PAM and OpenSSH Hijacking in Air-Gapped Network
  51. Computerweekly
  52. Saudigazette
  53. Thenews
  54. Turkiyetoday
  55. Timesofindia
  56. En
  57. Today
  58. Jpost
  59. Cybernews
  60. Voiceofemirates
  61. Cypro
  62. Computing
  63. Hellorayo
  64. Bucksfreepress
  65. Gms
  66. cybersecurity.pk — China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
  67. Sygnia
  68. Secpod
  69. Thehackernews
  70. Redsecuretech
  71. Ccinfo
  72. gbhackers.com — Velvet Ant Hackers Backdoor OpenSSH and PAM to Spy on Critical Infrastructure Network
  73. News
  74. Medium
  75. Unit42
  76. Cybersecurity News — China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass
  77. The Record by Recorded Future — Cyberattack on Russian tech firm Astral disrupts business, government services for week
  78. techjacksolutions.com — Russia / Turla APT (FSB Center 16) — Vulnerability Rollup (2026-05-15)
  79. helpnetsecurity.com — China-linked spies backdoored authentication stack to stay hidden for years
  80. Cyberdaily
  81. En
  82. Gblock
  83. Breached
  84. Devdiscourse
  85. The420
  86. Retailbankerinternational
  87. Wanaen
  88. Iranintl
  89. News
  90. 1eska
  91. Secpost
  92. Buhexpert8
  93. M
  94. techjacksolutions.com — Secret Blizzard Rebuilds Kazuar as Autonomous P2P Botnet with Leader Election and 150-Option Evasion Engine
  95. Westoahu
  96. Xfe-integration
  97. Gbhackers
  98. Blog
  99. arXiv (Computer Science - Cryptography and Security) — Understanding the "Airport" Censorship Circumvention Ecosystem in China
  100. Malware News — Crypto most vulnerable sector with 83% of security leaders indicating exposure to at least one cybersecurity attack in the last 12 months
  101. bleepingcomputer.com — Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
  102. helpnetsecurity.com — Law enforcement hits SocGholish: 106 servers down, 15,000 sites cleaned
  103. Globalbankingandfinance
  104. Itpro
  105. Uk
  106. Securityboulevard
  107. Rusi
  108. techjacksolutions.com — UK Cyber Chief: Nation-States Now Drive 75% of Critical Infrastructure Attacks, AI Will Accelerate Exploitation by 2028
  109. techjacksolutions.com — NIST National Vulnerability Database (NVD) Expands to Include SSVC and "Affected" Information
  110. techjacksolutions.com — NCSC / UK Government (Strategic Intelligence) — Vulnerability Rollup (2026-06-18)
  111. Cryptonews
  112. SC Media — Law enforcement disrupts SocGholish botnet and Evil Corp servers
  113. Politie
  114. Proofpoint
  115. Hackread
  116. Cyberscoop
  117. Infosecurity-magazine
  118. Intelfusions
  119. Socdefenders
  120. Cydhaal
  121. App
  122. Threatclaw
  123. Reddit
  124. News

LINK COPIED TO CLIPBOARD