Black Lotus Labs at Lumen Technologies has documented the significant expansion of the JDY botnet — a China-linked reconnaissance network purpose-built for intelligence collection against U.S. military and government infrastructure — which has grown from approximately 650 active bots to more than 1,500 compromised SOHO and IoT devices while sustaining U.S. military networks as its most prominent target sector.
JDY’s Reconnaissance Mission Against U.S. Military and Government-Associated Networks
JDY does not function as a distributed denial-of-service tool or a ransomware delivery vehicle. Its operational purpose is systematic intelligence collection: mapping exposed services, fingerprinting software versions, harvesting cryptographic certificates, and identifying vulnerabilities across U.S. military and associated networks. That reconnaissance output provides the targeting data that makes subsequent precision intrusions operationally feasible — a different threat profile than direct exploitation.
Black Lotus Labs identified U.S. military networks and associated entities as the “most prominent” target sector in JDY’s observed activity. The botnet uses Tor-based command-and-control infrastructure, routing communications through Tor hidden services to obscure attribution and complicate disruption efforts by defenders and law enforcement.
TCP Scanning, TLS Certificate Harvesting, and CVE-2026-35616: JDY’s Targeting Pipeline
JDY’s technical capabilities span multiple reconnaissance disciplines simultaneously. The botnet conducts TCP and UDP scanning, SSL/TLS scanning, ICMP probing, protocol fingerprinting, banner collection, and TLS certificate harvesting — building a detailed, layered profile of every exposed service it surveys. For raw SYN scanning operations, JDY uses a fixed source port of 19000, a behavioral indicator that researchers used to identify and track its scanning activity across monitored networks.
The botnet’s operationalization speed was demonstrated when researchers observed JDY scanning for CVE-2026-35616, a FortiClient EMS vulnerability, shortly after that flaw’s public disclosure. The gap between vulnerability announcement and active JDY reconnaissance activity against that attack surface compressed significantly — from the weeks that traditionally separated disclosure from widespread exploitation attempts to a much shorter interval. When operating with root privileges on compromised devices, JDY can batch-process thousands of scan targets simultaneously, enabling high-throughput reconnaissance across large network address ranges.
Compromised Cisco, Ubiquiti, DrayTek, and Hikvision Devices Form JDY’s Distributed Infrastructure
JDY achieves its distributed reach through compromised SOHO and IoT equipment rather than dedicated servers. Confirmed compromised device types include routers, cameras, and modems from Cisco, Ubiquiti, DrayTek, Hikvision, and Linksys, spanning multiple hardware architectures. These are legitimate consumer and small-business devices — enrolled without their owners’ knowledge into a nation-state intelligence collection network. The distributed nature of this infrastructure makes disruption operationally difficult: each node is a separate physical device owned by a private individual or small business, located in consumer networks, with no central server to seize or shut down.
Volt Typhoon Association and JDY’s Strategic Role in Chinese Pre-Positioning Operations
Black Lotus Labs associated JDY with Chinese threat actors including Volt Typhoon — a group previously documented as focused on prepositioning access to U.S. critical infrastructure, specifically targeting utilities, communications networks, and transportation systems. The documented goal of Volt Typhoon’s prepositioning operations is to enable disruptive attacks during a future geopolitical crisis, rather than immediate exploitation for financial gain.
JDY, as a reconnaissance tool associated with Volt Typhoon-linked infrastructure, feeds directly into that prepositioning capability. The intelligence gathered through JDY’s systematic scanning and certificate harvesting operations — service versions, exposed vulnerabilities, network topology — provides the targeting data that supports precision intrusion against specific critical infrastructure assets. The botnet’s expansion from approximately 650 to more than 1,500 active devices indicates that the operations sustaining the network have continued despite prior public reporting on Volt Typhoon-associated activity by U.S. and allied government agencies.
