JDY

JDY is a Linux-based botnet and reconnaissance malware cluster linked by Black Lotus Labs to China-nexus state-sponsored activity and previously associated with Volt Typhoon and the broader KV-botnet. It operates as a centrally controlled, high-performance scanner rather than a DDoS platform or direct exploitation framework, and is used to discover, fingerprint, and continuously map exposed internet services at scale for downstream targeting.

Black Lotus Labs reported that JDY grew from roughly 650 observed bots in January 2024 to more than 1,500 compromised SOHO and IoT devices. The botnet has expanded beyond earlier compromises of Cisco RV320 and RV325 routers to include devices from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys. Infected infrastructure is distributed across Europe, Asia, and the Americas, with many nodes located in the United States and Brazil. Researchers assessed that this footprint helps operators evade geofencing, IP reputation controls, and static blocklists by blending malicious traffic with legitimate residential and small-office traffic.

JDY focuses on selective reconnaissance and service fingerprinting rather than indiscriminate internet-wide scanning. Reported capabilities include TCP, UDP, SSL/TLS, and ICMP-assisted probing; banner grabbing; TLS certificate and metadata collection; protocol fingerprinting; and flaw-focused reconnaissance shortly after public vulnerability disclosures. Black Lotus Labs observed scans tied to newly disclosed Fortinet-related vulnerabilities, including CVE-2026-35616, and assessed that JDY reconnaissance is rapidly operationalized to identify vulnerable infrastructure before patches are widely applied. Reported scan output includes JSON-formatted results containing IPs, ports, TTLs, banners, TLS versions, certificates, domains, URLs, redirects, and related metadata.

The malware samples described are built for MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. A lightweight bash dropper checks architecture, downloads the appropriate payload, executes it with a supplied C2 IP and group ID, and deletes the payload from disk. The malware fingerprints the host, sends an initial encrypted HTTPS POST beacon to /dispatch_service/v2/probe_status, retrieves encrypted tasking from a centralized dispatch service, and decrypts responses using the hardcoded AES key 0000000000000000bdb718bdf47cbcde. Supported commands include Exit, report_status, and update_dmap_fp_db. When running with sufficient privileges, JDY can perform high-speed raw-socket SYN scanning using a fixed source port of 19000; otherwise it falls back to standard TCP, TLS, UDP, or ICMP-based methods. Results are compressed and sent via HTTP POST to /data/v2/pscan using the filename attr.json.

JDY command-and-control and payload infrastructure is managed through concealed Tor nodes and hidden services. Some infected devices were reportedly managed using Platypus, an open-source reverse shell and host management tool; one cited payload server was 149.248.3[.]38 hosting a Platypus server on port 13339. Black Lotus Labs assessed that JDY continues to support multiple China-nexus APT actors by supplying timely reconnaissance data for follow-on exploitation and targeting. Reported targeting emphasized U.S. networks, with many scanned IPs associated with U.S. military and related entities.