China-Linked JDY Botnet Expands Beyond 1,500 Devices, Strengthening Cyber Reconnaissance Operations

Researchers warn that a rapidly growing botnet tied to Chinese threat actors now powers large-scale internet reconnaissance and vulnerability targeting across the globe.

JDY Botnet Continues to Grow

Cybersecurity researchers have uncovered a significant expansion of the JDY botnet, a covert network linked to China-aligned cyber operations. The botnet now consists of more than 1,500 compromised devices and continues to support large-scale reconnaissance activities targeting internet-facing infrastructure.

Researchers describe JDY as a highly efficient scanning platform rather than a traditional malware network focused on direct attacks. Its primary role is to identify, profile, and continuously map exposed services across the internet. This intelligence can then support future intrusion attempts and exploitation campaigns.

The findings highlight how modern threat actors increasingly rely on dedicated reconnaissance infrastructure to identify vulnerable systems before launching attacks.

From KV-Botnet to an Independent Reconnaissance Platform

Security analysts first identified JDY as part of the larger KV-botnet ecosystem in late 2023. Following law enforcement actions that disrupted KV-botnet operations in early 2024, operators modified their tactics and evolved portions of the infrastructure into independent networks.

JDY has since emerged as a standalone reconnaissance capability. Researchers believe multiple Chinese state-linked groups may leverage the network to gather intelligence on potential targets.

Rather than conducting broad and noisy internet scans, JDY focuses on collecting structured data that helps threat actors identify valuable systems and vulnerable services.

More Devices, Wider Reach

The botnet has grown significantly over the past year. Researchers observed roughly 650 infected devices at the beginning of 2024. Today, that number exceeds 1,500.

Most compromised systems are located in the United States and Brazil, with additional infections spread across Europe and Asia.

The botnet also targets a wider range of hardware than before. Earlier versions primarily relied on compromised Cisco routers. Current infections include devices from multiple vendors, including Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys.

This diversity makes detection and disruption more difficult. It also provides operators with a larger pool of trusted residential and small-business IP addresses.

Designed to Evade Traditional Defenses

One of JDY's most concerning characteristics is its ability to blend into normal internet traffic.

By distributing reconnaissance activity across thousands of compromised devices, operators avoid generating suspicious traffic from a single location. As a result, security controls based on IP reputation, geofencing, or static blocklists become less effective.

Because the botnet relies heavily on compromised SOHO routers and IoT devices, much of the activity appears to originate from legitimate users and businesses.

This approach allows attackers to collect intelligence while reducing the likelihood of detection.

How the Reconnaissance Operation Works

The botnet uses a layered architecture that separates management systems from infected devices.

Operators reportedly use anonymized infrastructure to control command-and-control servers and payload distribution systems. These servers assign reconnaissance tasks to compromised devices, directing them to probe specific targets rather than perform random scanning.

The malware collects valuable technical information from exposed systems, including service details, network metadata, and digital certificate information. It then sends the collected intelligence back to centralized servers for analysis.

Unlike many botnets that focus on delivering malware or launching denial-of-service attacks, JDY specializes in gathering information that supports future operations.

Exploiting Newly Disclosed Vulnerabilities

Researchers observed the botnet exploiting newly disclosed vulnerabilities in internet-facing devices. Attack chains typically begin with the exploitation of edge infrastructure, followed by the deployment of lightweight malware designed for reconnaissance.

Once installed, the malware identifies the device architecture and downloads the appropriate payload. After execution, it removes traces of the installer from the system.

The malware can also adjust its scanning techniques based on available privileges. If it gains elevated access, it performs high-speed network scans using custom-crafted packets. Otherwise, it relies on standard networking methods to continue reconnaissance activities.

This flexibility allows the botnet to operate effectively across a wide range of devices and environments.

Why This Threat Matters

The rapid growth of JDY demonstrates how cyber espionage operations continue to evolve despite disruption efforts.

Modern threat actors increasingly separate reconnaissance from exploitation. By maintaining dedicated scanning networks, they can identify vulnerable targets within hours of a new vulnerability becoming public.

This approach shortens the window between vulnerability disclosure and active targeting. Consequently, organizations face greater pressure to identify and patch exposed systems quickly.

For security teams, the JDY botnet serves as a reminder that threat actors often build long-term intelligence-gathering capabilities that survive individual takedowns. Even when authorities disrupt one network, the underlying reconnaissance infrastructure frequently adapts and returns in a new form.

Looking Ahead

The expansion of JDY highlights the growing role of automated reconnaissance in nation-state cyber operations. Rather than relying solely on human analysts, attackers now use large networks of compromised devices to continuously map the internet and identify emerging opportunities.

Organizations should strengthen monitoring of internet-facing assets, accelerate vulnerability management processes, and pay close attention to unusual scanning activity. As reconnaissance networks become more sophisticated, early detection remains one of the most effective ways to reduce cyber risk.