Full Report
The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts. [...]
Analysis Summary
# Threat Actor: JDY Botnet (China-nexus)
## Attribution & Identity
* **Actor Identification:** China-nexus Advanced Persistent Threat (APT) actors.
* **Aliases:** JDY.
* **Known Associations:** Closely associated with **Volt Typhoon** (based on previous activity and overlapping infrastructure/targets).
* **Actor Type:** A distributed scanning and fingerprinting network used to facilitate rapid exploitation by state-sponsored groups.
## Activity Summary
The JDY botnet has undergone a significant expansion, growing from 650 active bots in January 2024 to over 1,500 compromised devices by mid-2026. Rather than focusing on DDoS or mass exploitation, JDY acts as a reconnaissance engine that fingerprints vulnerable infrastructure immediately following public vulnerability disclosures. Recent operations show JDY rapidly operationalizing data to target U.S. military networks and critical infrastructure.
## Tactics, Techniques & Procedures
* **Distributed Reconnaissance:** Conducts service discovery, banner grabbing, protocol fingerprinting, and TLS certificate collection.
* **Stealthy Scanning:** Utilizes raw SYN scanning when root/administrative privileges are obtained.
* **Custom Packet Crafting:** Uses a fixed source port (19000) and increments destination ports sequentially to batch-process thousands of targets.
* **Rapid Operationalization:** Monitors for "N-day" vulnerabilities (e.g., CVE-2026-35616 in Fortinet FortiClient EMS) to scan for targets shortly after disclosure.
* **Persistence on Edge Devices:** Exploits SOHO (Small Office/Home Office) and IoT devices to create a "living off the land" style relay network.
**MITRE ATT&CK IDs:**
* **T1595:** Active Scanning
* **T1590:** Gather Victim Network Information
* **T1201:** Password Policy Discovery
* **T1046:** Network Service Scanning
* **T1071.004:** C2 Communication via DNS/Tor
## Targeting
* **Sectors:** U.S. Military, Military-associated entities, and critical infrastructure.
* **Geography:** Primarily focused on the **United States**, though the compromised botnet nodes are distributed globally.
* **Victims:** Organizations utilizing vulnerable edge devices and Fortinet infrastructure.
## Tools & Infrastructure
* **Malware:** JDY Botnet client (MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures).
* **Frameworks:** **Platypus** (open-source reverse-shell and host-management framework).
* **C2 Infrastructure:**
* Hidden **Tor** services are used to mask Command & Control activities.
* Uses a centralized "Dispatch Service" for assignment distribution.
* **Affected Devices:**
* Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys.
## Implications
JDY represents a shift toward specialized reconnaissance-as-a-service for Chinese APTs. By maintaining a persistent, distributed "fingerprinting" network, Chinese actors can identify and exploit vulnerable U.S. military targets within hours of a vulnerability being made public. This significantly narrows the window for defenders to patch systems before exploitation occurs.
## Mitigations
* **Vulnerability Management:** Prioritize patching of internet-facing devices, specifically Fortinet and SOHO router firmware.
* **Attack Surface Reduction:** Disable all unnecessary internet-exposed administrative interfaces (WMIs).
* **Access Control:** Restrict remote management access to authorized internal IPs or VPNs only.
* **Credential Hygiene:** Replace all default or weak credentials on IoT and edge networking equipment.
* **Network Monitoring:** Monitor edge devices for unusual outbound scanning activity or connections to the Tor network.
* **Traffic Filtering:** Monitor for traffic originating from source port 19000, which has been associated with JDY’s SYN scanning module.