A newly expanded cyber espionage network linked to China-nexus threat actors has grown rapidly in scale and sophistication, with security researchers warning that the “JDY botnet” now compromises more than 1,500 devices worldwide and is being used for large-scale reconnaissance operations.
The findings highlight an increasingly industrialized approach to cyber reconnaissance targeting internet-exposed infrastructure across multiple continents.
A growing covert scanning network
Cybersecurity analysts at Lumen Technologies’ Black Lotus Labs say the JDY botnet functions as a centrally controlled scanning system designed to identify, map, and fingerprint vulnerable internet-facing services.
The network is primarily made up of compromised small office/home office (SOHO) equipment and Internet of Things (IoT) devices, including routers, firewalls, and surveillance systems.
Researchers say the botnet has expanded significantly since early 2024, growing from roughly 650 infected devices to more than 1,500 active nodes.
Linked to state-aligned cyber activity
Security experts associate JDY with China-nexus advanced persistent threat (APT) ecosystems, including groups previously linked to large-scale cyber reconnaissance campaigns such as Volt Typhoon.
The botnet was first identified as part of a broader cluster within the earlier KV-botnet infrastructure, which was disrupted in a coordinated takedown effort by U.S. authorities in 2024. Despite this, researchers say operators adapted quickly and rebuilt parts of the network with new architecture and behavior changes.
Global spread of infected devices
According to the report, compromised devices are distributed globally, with the highest concentration found in the United States and Brazil, followed by parts of Europe and Asia.
Security researchers note that the growing presence of infected devices in Brazil reflects a broader trend of increasing botnet activity targeting the region’s expanding digital infrastructure.
The infected hardware includes products from multiple manufacturers, such as routers and networking devices used in both consumer and enterprise environments.
Advanced reconnaissance capabilities
Unlike traditional botnets used for direct attacks, JDY is primarily focused on reconnaissance. It conducts high-volume scanning across the internet, identifying exposed systems and collecting technical details such as service versions, configurations, and security fingerprints.
The malware can execute different scanning techniques depending on system privileges, including high-speed TCP SYN scanning when root access is available, or standard connection-based probing when it is not.
Collected data is transmitted back to centralized command infrastructure for analysis and potential use in later exploitation campaigns.
Stealth and resilience tactics
Researchers say the botnet is designed to evade detection by distributing scanning activity across thousands of legitimate IP addresses belonging to compromised devices. This makes blocking efforts more difficult, as individual IPs are less likely to be flagged as malicious.
The infrastructure is reportedly layered and resilient, using encrypted command-and-control channels and intermediary servers to mask operator activity.
Security teams also observed the use of Tor-based routing to further obscure the origin of control signals and payload delivery.
Exploiting newly disclosed vulnerabilities
Attackers behind JDY are believed to actively exploit newly published vulnerabilities in internet-facing devices, often deploying automated scripts shortly after security flaws are disclosed publicly.
Once a device is compromised, lightweight malware payloads are installed temporarily, executed in memory or deleted after launch to reduce forensic traces.
A persistent global threat
Experts warn that JDY reflects a broader evolution in cyber espionage, where botnets are no longer used solely for disruption but as persistent reconnaissance platforms supporting larger state-aligned operations.
According to researchers, even when individual clusters are dismantled, the underlying capability often survives and re-emerges in modified form.
Security analysts caution that such networks can provide adversaries with near real-time intelligence on exposed systems worldwide, potentially enabling rapid exploitation shortly after vulnerabilities are announced.
