JDY Botnet Resurfaces, Expands to Target Military Networks
A botnet once thought dismantled has quietly regrouped into a more potent threat. The JDY botnet, tied to Chinese state-sponsored hacking groups, has re-emerged after a U.S. takedown earlier this year—now operating over 1,500 infected devices and targeting military networks, particularly in the United States. Security researchers at Lumen’s Black Lotus Labs report the network’s evolution into a covert reconnaissance tool, scanning SOHO and IoT devices worldwide to map exposed services at scale.
A Network Built for Stealth
JDY’s resurgence is marked by its diversification. Initially relying on Cisco routers, the botnet now infects hardware from manufacturers like Ubiquiti, Draytek, and Hikvision, broadening its reach across multiple architectures. Over two-thirds of infected nodes are in the U.S., with additional clusters in Brazil, Europe, and Asia. This geographic spread isn’t accidental—it’s a deliberate tactic to evade defenses. By distributing scans across thousands of IP addresses, JDY operators avoid triggering geofencing, IP reputation filters, and static blocklists. Infected devices blend seamlessly into legitimate traffic, making detection even harder.
How JDY Operates—and Why It’s Dangerous
The botnet’s architecture is layered and meticulous. Operators communicate with infected devices via hidden Tor services, ensuring command-and-control servers remain obscured. Payloads are deployed transiently: dropper downloads the malware, executes it, then deletes itself, leaving little forensic evidence. Once active, each infected device identifies its host system—reporting OS, architecture, uptime, and malware version—before receiving scanning tasks.
JDY’s scanning engine adapts to its environment. With high privileges, it fires custom TCP packets to scan targets without completing handshakes, leaving minimal logs. Without such access, it falls back to standard TCP/TLS connections, collecting detailed service fingerprints like banners, SSL certificates, and HTTP responses. The true danger lies in its dynamic rulesets. When ordered by its controllers, JDY downloads precise instructions to detect specific services, turning each router into a precision reconnaissance node. Its focus on military networks suggests a strategic, long-term campaign.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.