Cybersecurity researchers at Lumen's Black Lotus Labs have identified a significant resurgence and expansion of the JDY botnet, a covert network linked to Chinese state-sponsored threat actors. This botnet, comprising over 1,500 compromised small office/home office (SOHO) and IoT devices, functions as a high-performance scanner for discovering and mapping exposed services at scale, according to a recent report by The Hacker News.Initially flagged as part of the KV-botnet, JDY has evolved into an independent reconnaissance capability following the U.S. government's takedown of KV in early 2024. The JDY cluster now infects a wider range of devices, including those from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys, with a surge in compromised devices from 650 to over 1,500. Primarily located in the U.S. and Brazil, these devices are used to conduct targeted scanning and service fingerprinting, identifying vulnerable infrastructure shortly after public disclosures. This industrialized reconnaissance effort feeds data into a larger scanning ecosystem for follow-on target identification and exploitation.The botnet's architecture uses Tor nodes for management and command-and-control servers that direct bots to perform detailed system profiling. Attack chains weaponize newly disclosed vulnerabilities in edge devices to deliver a shell script dropper, which then downloads the primary payload. The malware adapts its scanning methodology based on system privileges, utilizing high-speed SYN scanning when possible or resorting to standard TCP and TLS connections. This activity informs asset discovery, vulnerability-targeting pipelines, and downstream exploitation systems, demonstrating how IoT/SOHO botnets persist and adapt as a durable capability within adversary ecosystems.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds