JDY
JDY is a Linux-based botnet malware and covert reconnaissance platform tied to China-nexus state-sponsored activity, including reported links to Volt Typhoon. It was first identified in 2023 as a cluster within the KV botnet and remained active after U.S. government disruption of KV in early 2024, later evolving into an independent reconnaissance capability. Black Lotus Labs reported that JDY grew from roughly 650 bots in January 2024 to more than 1,500 compromised SOHO, edge, and IoT devices distributed across the United States, Europe, Asia, and the Americas, with most infected nodes located in the United States.
JDY is used primarily for targeted scanning, service discovery, fingerprinting, and continuous mapping of exposed services at scale rather than direct exploitation or DDoS. Researchers described it as a centrally controlled, high-performance distributed scanning machine that performs multiprotocol probing across TCP, UDP, SSL/TLS, and ICMP, collecting banners, TLS certificates, certificate metadata, redirects, HTTP responses, and other service fingerprints. The malware receives encrypted tasking and updated fingerprinting rules from a central dispatch service instead of relying on hard-coded targets, compresses reconnaissance results, and sends them back to command-and-control infrastructure for analysis.
The malware targets Linux-based MIPS, MIPS64, MIPSEL, and MIPSEL64 routers and embedded systems. A lightweight shell or bash dropper checks architecture, downloads the matching payload, executes it, and deletes itself from disk. Once active, JDY beacons over HTTPS to a dispatch service and retrieves scanning assignments on demand. Reported command-and-control tradecraft includes use of hidden Tor services to conceal command-and-control and payload servers, and some infected devices were managed using the Platypus open-source reverse-shell/host-management framework. When JDY has root or raw-socket capability, it performs fast and stealthy SYN scans; otherwise it falls back to slower TCP and TLS connections for data collection.
JDY has expanded beyond earlier reliance on Cisco RV320 and RV325 routers to include compromised devices from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, and reporting also mentions attacks on unpatched routers, cameras, and other edge devices. Researchers assessed that its scanning is selective rather than indiscriminate, with a clear focus on U.S. military and related networks. Black Lotus Labs observed rapid increases in scans of Fortinet devices immediately after disclosure of CVE-2026-35616, indicating that JDY supports rapid vulnerability targeting and downstream exploitation workflows. Its use of compromised residential and small-business devices helps traffic blend with legitimate activity and reduces the effectiveness of geofencing, IP reputation controls, and static blocklists.
High-confidence indicators and technical details directly reported in the source material include payload/C2 infrastructure at 149.248.3[.]38, Platypus hosted on port 13339, HTTPS POST check-in path /dispatch_service/v2/probe_status, result submission path /data/v2/pscan, hardcoded AES decryption key 0000000000000000bdb718bdf47cbcde, hardcoded version string 1.8.3.9, process name auditdy used to check for existing infections, and supported commands including Exit, report_status, and update_dmap_fp_db.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Researchers at Black Lotus Labs have tracked a resurgence of the JDY botnet, a China-nexus network of compromised home and small-office devices... At its heart, the JDY botnet is a distributed scanning machine.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Researchers at Black Lotus Labs have tracked a resurgence of the JDY botnet, a China-nexus network of compromised home and small-office devices... At its heart, the JDY botnet is a distributed scanning machine.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
4 techniques
Reconnaissance
Bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server.
By distributing scanning and fingerprinting across thousands of compromised SOHO and IoT devices, operators can rapidly identify vulnerable infrastructure and targets of interest while evading traditional, IP-based defenses.
the JDY botnet now makes up 1,500 compromised small office and home office (SOHO) devices, as well as edge and Internet of Things (IoT) devices, and is used by Chinese state-backed hackers including Volt Typhoon as a scanner to spot exposed services for exploitation.
Black Lotus Labs found that JDY botnet operators target specific devices for scanning and reconnaissance, rather than conducting widespread, indiscriminate scanning. Most notably, there was a selective increase in scans of Fortinet equipment immediately after the disclosure of a new vulnerability, indicating the ability and intent to find and exploit vulnerable devices before patches are widely applied.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Discovery
4 techniques
Discovery
The botnet is designed not to attack targets directly, but to scan the internet for vulnerable systems and pass that intelligence to hacker groups tied to China.
Determine the device architecture by probing available system utilities and parsing command output... Once executed, the malware begins by initializing several variables, including a hardcoded malware version... and a unique “probe_id,” which is computed by MD5 hashing system-specific information.
Command and Control
7 techniques
Command and Control
The malware adapts its scanning methodology based on system privileges, utilizing high-speed SYN scanning when possible or resorting to standard TCP and TLS connections.
Since infected devices are ordinary home and small business routers, their traffic blends in with normal internet activity, making detection harder for traditional security tools.
The large number of US-based SOHO and IoT devices that comprise the botnet allows operators to blend in with legitimate user traffic, making malicious scanning and reconnaissance activity harder to detect.
Bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server.
A lightweight bash dropper handles infection: it detects the device’s processor type, downloads the matching payload, executes it, and deletes the file from disk.
Some devices are also managed through Platypus, an open-source remote shell tool, with the payload server at 149.248.3[.]38 hosting a Platypus instance on port 13339.
Infected devices receive scanning tasks from a command-and-control server communicating via hidden Tor nodes, making it nearly impossible to trace back to operators. Bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux-based scanning botnet targeting MIPS routers and embedded devices. It uses compromised SOHO/edge devices to perform distributed reconnaissance, collect service banners and TLS certificates, and rapidly scan for newly disclosed vulnerabilities via encrypted tasking from command-and-control infrastructure.
A botnet targeting unpatched routers, cameras, SOHO, edge, and IoT devices. It is used primarily for scanning, fingerprinting, and reconnaissance to identify exposed services and vulnerable infrastructure for later exploitation.
A China-linked botnet operating on compromised SOHO and IoT devices to conduct internet-wide reconnaissance and vulnerability scanning, then return encrypted scan results to command-and-control infrastructure for use by China-aligned threat actors. It uses Linux payloads for MIPS/MIPSEL architectures, a bash dropper, Tor-hidden C2, and can leverage Platypus for remote shell management.
A centrally controlled, high-performance IoT/SOHO botnet used for infrastructure reconnaissance. It discovers, fingerprints, and continuously maps exposed services at scale, sending structured reconnaissance data back to operators to support follow-on targeting and exploitation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.