Why the China-linked JDY Botnet Expands Targeting of US Military Networks in 2026
jdy botnetus military networksblack lotus labslumenchina-nexus aptvolt typhooncybersecuritybotnetnetwork reconnaissancevulnerability scanningiot securitysoho devices

Why the China-linked JDY Botnet Expands Targeting of US Military Networks in 2026

By Daniel MarshJune 10, 2026

Why the China-linked JDY botnet's Rapid Reconnaissance of Newly Disclosed Vulnerabilities Poses a Unique and Persistent Threat to US Military Networks

The JDY botnet operates differently: it's not about traffic volume or DDoS brute force. It's about precision, speed, and the covert, systematic identification of vulnerabilities. While the news cycle often focuses on the sheer number of compromised devices or immediate attack impact, Black Lotus Labs by Lumen has been tracking a different kind of threat with JDY. This botnet, linked to China-nexus APT actors like Volt Typhoon, isn't just growing; it's evolving into a dedicated, distributed reconnaissance platform for U.S. military and associated networks. This expansion of the JDY botnet targeting US military networks represents a significant escalation in cyber espionage.

JDY's Stealthy Growth and Reconnaissance Surge

What we're seeing is a marked expansion of the JDY botnet's reach and its reconnaissance efforts. Back in January 2024, Black Lotus Labs identified around 650 active bots. Today, that number has more than doubled to over 1,500 compromised SOHO (small office/home office) and IoT devices. This general increase in activity indicates a focused effort, primarily targeting U.S. military and associated networks. The persistent threat of the JDY botnet to US military networks cannot be overstated, as it systematically maps out vulnerabilities.

This isn't an exploitation framework itself. It's a scouting party. Its rapid mapping of vulnerabilities presents a significant threat.

The Mechanism: How a Distributed Scanner Finds Your Weak Spots

The JDY botnet operates like a highly organized, distributed intelligence network. It compromises SOHO and IoT devices from vendors like Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, specifically targeting MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. Once a device is compromised, it registers with a central "Dispatch Service" via hidden Tor services, which act as its command and control (C2). This sophisticated infrastructure allows the JDY botnet to effectively target US military networks, providing critical reconnaissance data.

The attack chain unfolds in several distinct phases:

  1. Compromise (MITRE ATT&CK T1190: Exploit Public-Facing Application): An attacker exploits a known vulnerability in a SOHO or IoT device. Many of these devices are frequently left unpatched for months, sometimes years, after a CVE is disclosed.
  2. Registration (MITRE ATT&CK T1071.001: Application Layer Protocol: Web Protocols): The newly compromised bot connects to the C2 via Tor and registers itself, ready for assignments. This C2 communication often leverages standard application layer protocols to blend in.
  3. Assignment (MITRE ATT&CK T1071: Application Layer Protocol): The C2 dispatches scanning tasks to the bot. These aren't random scans; they're highly targeted, often looking for newly disclosed vulnerabilities shortly after public disclosure. For example, JDY bots have been observed targeting flaws like CVE-2026-35616, a FortiClient EMS flaw, often within 24-48 hours of public disclosure.
  4. Execution (MITRE ATT&CK T1595.002: Active Scanning: Vulnerability Scanning): The bot executes a range of scanning modules:
    • TCP/UDP/ICMP scanning (MITRE ATT&CK T1595.001: Active Scanning: Port Scanning): Basic network mapping.
    • Service discovery and banner grabbing (MITRE ATT&CK T1083: File and Directory Discovery): Identifying running services and their versions.
    • TLS certificate collection: Harvesting certificate details, which can reveal more about the target's infrastructure.
    • Protocol and service fingerprinting: Using downloadable rule sets to precisely identify what's running.
    • Advanced TCP Scanning (Raw SYN): If the bot has root or admin privileges, it can initiate high-speed SYN scanning using custom-crafted TCP packets. It uses a specific source port of 19000 and increments destination ports, batch-processing potentially thousands of targets. This raw packet manipulation is fast and stealthy, making it harder to detect with standard network monitoring.
  5. Exfiltration (MITRE ATT&CK T1041: Exfiltration Over C2 Channel): The bot compresses the scan results and sends them back to the C2, typically over encrypted channels.
  6. Operationalization (MITRE ATT&CK T1071: Application Layer Protocol): China-nexus APT actors then rapidly operationalize this reconnaissance output. They don't need to find the vulnerabilities themselves; JDY automates the discovery phase, pointing them directly to vulnerable targets. In some cases, they've even used an open-source reverse-shell and host-management framework Platypus (MITRE ATT&CK T1219: Remote Access Software) for further control.
<figcaption>A single glowing red light in a server rack, symbolizing a compromised device or a critical vulnerability identified by JDY's reconnaissance.</figcaption>

JDY Botnet's Strategic Impact on US Military Networks

The practical impact here is substantial. This isn't a botnet designed for immediate disruption like a DDoS attack. JDY significantly enhances intelligence gathering capabilities. By rapidly identifying systems vulnerable to newly disclosed flaws, it gives China-nexus APT actors a critical head start. They can then move in with targeted exploits before many organizations even have a chance to patch. The strategic implications of the JDY botnet targeting US military networks are profound, enabling pre-positioning for future operations.

The focus on U.S. military and associated networks means this isn't just about intellectual property theft or general espionage. This is about pre-positioning for potential future operations, mapping out critical infrastructure, and identifying access points. The compromised SOHO and IoT devices, often overlooked in enterprise security strategies, serve as distributed launchpads. They are the perfect cover for this kind of distributed scanning, blending in with legitimate internet traffic.

Mitigating the JDY Threat: Key Defensive Postures

CISA has already issued warnings about the risks posed by Volt Typhoon operatives to unprotected SOHO routers, and those warnings apply directly here.

Organizations must prioritize several key defenses. Patching is non-negotiable; ensure all routers, firewalls, and IoT devices are updated immediately when patches are released. Rapid patching is crucial, as JDY exploits the window between vulnerability disclosure and remediation. Furthermore, reducing the attack surface by disabling unnecessary internet-exposed administrative interfaces is critical. If remote management isn't needed, it should be turned off; if it is, access must be restricted to specific, trusted IP ranges. These measures are vital to defend against the JDY botnet targeting US military networks.

Despite its importance, many devices still operate with factory default credentials. Changing these to strong, unique passwords is a fundamental security measure. Network segmentation is also vital: isolate SOHO and IoT devices from critical networks. A compromised smart thermostat or home router should not provide a direct path to sensitive military systems.

Monitoring for unusual outbound scanning is a primary detection vector. JDY's core function is scanning, so security teams must look for unusual outbound SYN activity, especially from devices that shouldn't be initiating scans. The use of a specific source port of 19000 for raw SYN scans is a clear indicator to watch for. Finally, organizations need to integrate threat intelligence feeds, like those from Black Lotus Labs, into their security operations. Knowing what vulnerabilities JDY is actively scanning for lets you prioritize patching and detection efforts effectively. Understanding the specific tactics of the JDY botnet targeting US military networks is key to robust defense.

<figcaption>A network engineer actively monitoring for the tell-tale signs of JDY's outbound SYN activity, a critical detection vector for the botnet.</figcaption>

The persistence of the JDY botnet, a persistent and adaptable tool for China-nexus APT groups, suggests this problem will continue to evolve. It signals that adversaries are investing in sophisticated, distributed reconnaissance capabilities. We cannot afford to treat SOHO and IoT devices as afterthoughts in our security posture, especially when they are weaponized to target critical national infrastructure. The ongoing threat demands continuous vigilance and a proactive, integrated patching strategy to counter the JDY botnet's impact on US military networks.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.