Expanded JDY IoT and SOHO Botnet Enables Rapid Vulnerability Exploitation
Expanded JDY IoT and SOHO Botnet Enables Rapid Vulnerability Exploitation 🚀
Black Lotus Labs recently identified a significant resurgence of the JDY botnet, a covert reconnaissance network tied to China-nexus threat activity. This botnet comprises over 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices, operating as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale.
The IoT-based malware affects a wider array of devices and feeds structured reconnaissance data into a larger scanning ecosystem for subsequent triage, target identification, and exploitation. JDY demonstrates how IoT and SOHO botnets are being used for rapid vulnerability exploitation.
In December 2023, Black Lotus Labs unveiled the KV-botnet, a covert network of thousands of SOHO routers and firewall devices used by China-based APTs, most notably Volt Typhoon, to conduct espionage and intelligence operations targeting U.S. critical infrastructure. Despite setbacks, the JDY cluster remained an active threat, surging to more than 1,500 compromised devices actively conducting targeted scanning and service fingerprinting.
Analysis shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors. This targeted focus has been observed across various sectors, with the U.S. military and associated entities as the most prominent.
The JDY botnet has more than doubled in size since the U.S. government takedown efforts against the KV cluster. In January 2024, we observed approximately 650 bots communicating with the JDY command-and-control (C2) servers. Today, the JDY botnet comprises more than 1,500 compromised devices actively conducting scanning and reconnaissance.
Most notably, there was a selective increase in scans of Fortinet equipment immediately after the disclosure of a new vulnerability, indicating the ability and intent to find and exploit vulnerable devices before patches are widely applied.
The JDY botnet operates through a layered architecture, managing infected infrastructure through concealed Tor nodes that obfuscate access to both C2 and payload servers. The malware samples obtained were a Linux-based scanning agent built for MIPS, MIPS64, and MIPSEL architectures, commonly found in routers and embedded systems.
Black Lotus Labs recommends implementing recent U.K. National Cyber Security Centre (NCSC) guidance on defending against China-nexus covert networks of compromised devices.