Listen to this Post
Introduction: A Ghost Network That Refused to Die
The digital battlefield rarely sees true “endings.” When a botnet is dismantled, it does not always disappear; it mutates, fragments, and re-emerges under new architecture. The JDY botnet is a clear example of that evolution. First observed in late 2023 inside the KV-botnet ecosystem, JDY was believed to have been weakened after U.S. authorities disrupted parts of KV in early 2024. But security researchers at Lumen Technologies’s Black Lotus Labs have confirmed a different reality: JDY never stopped operating. It adapted, expanded, and quietly rebuilt itself into a more powerful reconnaissance infrastructure tied to advanced state-aligned threat activity, including links to Volt Typhoon.
What emerges today is not just a botnet, but a distributed global surveillance engine capable of mapping exposed systems at industrial scale.
The Silent Resurgence of JDY: A Botnet That Refused Shutdown
JDY’s comeback was not loud. There were no obvious spikes, no dramatic resurgence signatures. Instead, it grew quietly from hundreds of infected devices back into a force exceeding 1,500 compromised systems.
Originally concentrated around Cisco RV320 and RV325 routers, JDY has diversified aggressively. Now it infects a wide range of SOHO and IoT hardware including Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys devices. This diversification is not accidental. It is strategic resilience. Every additional manufacturer adds a new layer of unpredictability, making detection pipelines less effective and signature-based blocking harder.
At its lowest point in early 2024, JDY was estimated at around 650 active bots. Today, it has more than doubled that footprint.
Architecture of Concealment: How JDY Avoids Detection
JDY is not built like traditional malware. It behaves more like a distributed intelligence system designed to remain invisible while constantly observing the internet.
Command-and-control traffic is routed through hidden Tor services, concealing both control infrastructure and payload delivery systems. Each infected device receives scanning instructions, executes tasks, and returns structured results to aggregation servers.
Nothing lingers. Payloads are downloaded, executed, and erased immediately. By the time forensic investigators inspect a device, the evidence is gone.
This architecture creates a system that is not just resilient, but deliberately anti-forensic.
The Reconnaissance Engine: Turning Routers Into Intelligence Nodes
At its core, JDY is not built to destroy systems. It is built to understand them.
Each infected device sends structured JSON reports to dispatch servers containing:
Operating system version
Architecture type
Memory availability
Uptime statistics
Malware version
From there, scanning tasks are assigned dynamically. If root access is available, JDY deploys raw socket SYN scanning, allowing it to probe thousands of targets rapidly without completing TCP handshakes. This leaves almost no application-layer trace.
If privileges are limited, it switches to full TCP and TLS interactions, gathering deeper intelligence such as:
Service banners
SSL/TLS configurations
Certificate metadata
HTTP redirects and responses
Each node effectively becomes a distributed reconnaissance probe embedded inside real residential and enterprise networks.
Global Distribution Strategy: Why Geography Matters in JDY’s Design
JDY’s infrastructure is heavily concentrated in the United States, with additional clusters across Brazil, Europe, and Asia. This is not incidental geography. It is operational design.
By distributing scanning traffic across thousands of residential IPs, the botnet blends malicious activity with legitimate user behavior. Traditional defense systems relying on geofencing, IP reputation scoring, or static blocklists become significantly less effective.
In essence, JDY weaponizes normality. Every infected home router becomes a legitimate-looking internet citizen performing invisible reconnaissance.
Exploiting Time Windows: JDY and Rapid Vulnerability Targeting
One of JDY’s most concerning capabilities is its speed of adaptation.
Following the public disclosure of CVE-2026-35616 on April 5, 2026, researchers observed immediate scanning spikes targeting Fortinet devices within hours. There was no delay, no intelligence gap, no waiting period.
Even more concerning, a significant portion of targeted IPs belonged to U.S. military and affiliated infrastructure networks.
JDY does not randomly scan. It prioritizes emerging vulnerabilities and high-value networks, suggesting integration into broader exploitation pipelines.
A Passive Weapon: Intelligence Gathering Before Exploitation
JDY does not directly exploit systems. Instead, it builds a detailed map of global infrastructure.
This reconnaissance includes:
Active services
Exposed ports
TLS configurations
Certificate chains
Redirect behavior patterns
This structured dataset is then likely fed into downstream systems responsible for exploitation planning, vulnerability chaining, and target prioritization.
In simple terms, JDY is not the attacker. It is the scout that walks ahead of the army.
The KV-Botnet Aftermath: Why Disruption Was Not Enough
The takedown of the KV-botnet in early 2024 removed part of JDY’s original ecosystem, but not the capability itself. Instead, JDY separated and evolved into an independent reconnaissance infrastructure.
This demonstrates a key reality in modern cyber conflict: dismantling infrastructure does not eliminate knowledge, tooling, or operational doctrine.
JDY is the continuation of that doctrine.
What Undercode Say:
JDY represents a shift from destructive malware to intelligence-first cyber infrastructure
The diversification of IoT devices increases resilience against takedown operations
Hidden Tor-based C2 channels make attribution significantly harder
Residential IP distribution defeats traditional perimeter-based security models
Rapid vulnerability targeting suggests integration with automated exploit pipelines
JDY is optimized for stealth, not speed of attack
The botnet acts more like a distributed sensor network than malware
SYN scanning without handshake reduces detection footprint drastically
TLS-based fallback scanning increases metadata harvesting capability
Structured JSON reporting indicates engineered operational consistency
Device heterogeneity increases global coverage footprint
U.S.-centric infection patterns exploit trust-based routing biases
IoT insecurity remains the primary expansion vector
Payload self-deletion eliminates forensic persistence
JDY demonstrates post-botnet survivability through modular architecture
KV takedown disrupted structure, not capability
Recon data is likely fed into exploit-as-a-service ecosystems
JDY prioritizes strategic targets over random scanning
Military-affiliated IP targeting suggests intelligence-grade objectives
The system adapts scanning method based on privilege level
Raw socket usage implies kernel-level control in some nodes
HTTP behavior mapping suggests application-layer intelligence gathering
TLS fingerprinting enables long-term tracking of services
Device-level compromise scale exceeds traditional botnet models
Residential masking reduces anomaly detection probability
Multi-architecture support improves malware portability
Hidden services reduce infrastructure exposure risk
JDY acts as upstream intelligence for cyber kill chains
No direct payload execution reduces immediate detection risk
Botnet growth indicates persistent infection lifecycle
IoT firmware weaknesses remain unresolved globally
Scanning density allows near real-time internet mapping
Structured recon enables machine-readable targeting intelligence
Operational secrecy suggests state-aligned backing consistency
Continuous adaptation reflects long-term cyber doctrine evolution
Network-level invisibility is achieved through decentralization
JDY prioritizes persistence over aggression
Infrastructure mapping supports geopolitical cyber strategy
Recon outputs are more valuable than payload impact
JDY is effectively a global passive surveillance mesh
❌ JDY is confirmed as a reconnaissance botnet, but exact attribution to a specific state actor is inferred, not publicly proven.
✅ Lumen Black Lotus Labs has documented IoT-focused scanning infrastructure and evolution from KV-botnet components.
⚠️ Claims about targeting U.S. military infrastructure are based on observed IP categorization, not confirmed intent or classification of targets.
Prediction:
(+1) JDY-like botnets will increasingly replace destructive malware as primary cyber intelligence tools, focusing on long-term reconnaissance rather than immediate disruption.
(+1) IoT exploitation will expand as default infrastructure for global-scale passive surveillance networks.
(-1) Defensive systems relying on IP reputation and geofencing will continue to lose effectiveness against residential botnet masking techniques.
(-1) Public detection of such networks will lag behind operational reality due to increased use of encrypted and ephemeral command infrastructures.
Deep Analysis:
Identify suspicious outbound scanning behavior tcpdump -i eth0 port 80 or port 443
Detect unusual SYN scanning patterns
nmap -sS -T4 -Pn <target-range>
Check for hidden processes potentially related to bot activity
ps aux | grep -i suspicious
Inspect network connections by process
netstat -tulnp
Analyze IoT device exposure on network
nmap -sV --script vuln 192.168.1.0/24
Monitor DNS tunneling or hidden C2 activity
wireshark filter: dns || tls.handshake.extensions_server_name
Harden router-level access
iptables -A INPUT -p tcp –dport 22 -j DROP
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
