Security experts sound alarm over 'expanded' China-linked botnet used to target US critical infrastructure and military assets
The China-linked botnet highlights risk of leaving routers and IoT devices unpatched
The JDY botnet is back and expanding via attacks on unpatched routers, cameras and other edge devices.
According to a report from Lumen's Black Lotus Labs the JDY botnet now makes up 1,500 compromised small office and home office (SOHO) devices, as well as edge and Internet of Things (IoT) devices, and is used by Chinese state-backed hackers including Volt Typhoon as a scanner to spot exposed services for exploitation.
JDY was first spotted back in 2023 as part of an investigation into the KV botnet, which was used for covert data transfer while JDY was focused on scanning and reconnaissance. After KV was taken down last year by the US government, JDY remained an active threat, Black Lotus Labs noted in a report.
Now, the JDY botnet has doubled in size, with compromised devices located across Europe and Asia, though the majority are in the US. The network is used to scan a range of targets for weaknesses, though the US military is a clear focus.
"The expansion of the JDY botnet underscores how China‑nexus threat actors are scaling reconnaissance as a core enabler of exploitation," Black Lotus Labs said in a blog post.
"By distributing scanning and fingerprinting across thousands of compromised SOHO and IoT devices, operators can rapidly identify vulnerable infrastructure and targets of interest while evading traditional, IP‑based defenses."
Gabrielle Hempel, Security Operations Strategist at Exabeam, noted that discussions around botnets normally focus on data theft, but there's more to consider.
"We spend a lot of time talking about nation-state actors stealing information, but the scarier reality is that many of these operations are designed to establish positioning and persistence," she said.
"If geopolitical tensions ever escalate, having access already in place is far more valuable than trying to gain it during a crisis. Persistent access provides intelligence collection opportunities today and potential disruption options tomorrow."
Targeting unpatched edge devices
Previously, JDY focused on two Cisco router models but has now expanded its botnet to include a range of manufacturers. Using edge devices helps the botnet's activity blend into regular traffic, the security lab added.
Devices aren't added to the JDY botnet at random, however. Indeed, the attackers are looking for specific models with known exploitable flaws.
"Black Lotus Labs found that JDY botnet operators target specific devices for scanning and reconnaissance, rather than conducting widespread, indiscriminate scanning," the post said. "Most notably, there was a selective increase in scans of Fortinet equipment immediately after the disclosure of a new vulnerability, indicating the ability and intent to find and exploit vulnerable devices before patches are widely applied."
Hempel noted that JDY continues the trend of attackers focusing on easy to exploit edge devices that are often missed in security efforts.
"As we have seen with many recent attacks, campaigns like JDY don’t rely on the sophisticated zero days that everyone loves to talk about, but leverage poorly maintained edge devices, exposed infrastructure, and slow patching," Hempel added. "It’s the low-hanging fruit that they are after to get in.
What should enterprises do?
Given that, it's no surprise that Black Lotus Labs advises companies to follow existing best practice for routers, firewalls, and IOT devices: install patches for known flaws, run security updates, and regularly reboot.
Beyond that, the security lab advised enterprises to adopt the Secure Access Service Edge (SASE) architecture or similar solutions to reduce the attack surface and implement existing guidance from national security bodies about how to mitigate against Volt Typhoon and China-Linked threat groups.
"The JDY botnet underscores the risk of relying on traditional IP-based security controls such as geofencing, IP reputation-based detection, and static blocklists," the security lab added.
"The large number of US-based SOHO and IoT devices that comprise the botnet allows operators to blend in with legitimate user traffic, making malicious scanning and reconnaissance activity harder to detect."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Enterprises are bullish on agents, but can't get projects over the finishing line – here's whyNews Forrester points to challenges scaling agentic AI, saying companies start rolling out the tech before they're ready to scale
-
Cisco's infrastructure unification push aims to simplify management for the agentic eraNews The company aims to put the power in customers’ hands while emphasizing the importance of network efficiency
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surgeNews Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
