1,500 Devices and Growing: Meet the JDY Botnet

The JDY Botnet has rapidly expanded to more than 1,500 compromised Internet of Things (IoT) and Small Office/Home Office (SOHO) devices, actively exploiting known vulnerabilities in internet-facing systems to grow its infrastructure. Researchers have linked the botnet to China-nexus threat activity, including associations with Volt Typhoon, and have observed the botnet targeting routers, IP cameras, and networking equipment, enabling operators to rapidly weaponize newly disclosed flaws and recruit vulnerable devices into their network.

Unlike traditional botnets that rely primarily on brute-force attacks, JDY employs a vulnerability-driven propagation strategy, continuously scanning for exposed systems and exploiting security weaknesses soon after they become public. Its growing footprint and rapid infection cycle highlight the increasing risks posed by unpatched edge devices, emphasizing the need for timely patching, secure configurations, and continuous monitoring across enterprise and home networks.

CVE ID: CVE-2026-35616

CVSS Score: 9.1 Critical

Vulnerability Type: Improper Access Control (CWE-284)

Affected Products: Fortinet FortiClient EMS versions 7.4.5 through 7.4.6

Fixed Version: FortiClient EMS 7.4.7 and later (Fortinet security update released April 2026)

Attack Vector: Network-based attack requiring no authentication or user interaction. Attackers can send crafted requests directly to vulnerable FortiClient EMS servers

Primary Impact: Allows unauthenticated remote attackers to execute unauthorized code or commands on affected FortiClient EMS servers, potentially leading to full system compromise, unauthorized access to enterprise endpoints, privilege escalation, and further lateral movement within the network.

The JDY Botnet was first identified in December 2023 as a reconnaissance-focused cluster within the larger KV-botnet, a network of compromised SOHO routers and IoT devices linked to China-aligned cyber activity. While the KV cluster primarily functioned as a covert relay network, JDY was responsible for internet-scale scanning and target discovery. Following the disruption of KV-botnet infrastructure by U.S. authorities in early 2024, JDY remained active and evolved into an independent reconnaissance platform. Researchers observed its growth from roughly 650 infected devices in early 2024 to more than 1,500 by mid-2026. The botnet expanded beyond Cisco routers to include devices from vendors such as Cisco, Araknis, DrayTek, Hikvision, Linksys, Mimosa Networks, and Ubiquiti. Unlike traditional botnets used primarily for DDoS attacks, JDY continuously scans the internet, fingerprints exposed services, collects TLS certificates and service metadata, and identifies vulnerable systems shortly after new vulnerabilities are publicly disclosed. The intelligence gathered supports rapid target identification and follow-on exploitation activities associated with China-linked threat actors, including operations targeting government, military, and critical infrastructure networks.

JDY is a China-nexus SOHO/IoT botnet designed for stealthy, distributed reconnaissance and rapid vulnerability discovery, using a layered architecture with Tor-based C2 obfuscation and large-scale scanning infrastructure

1. Initial Compromise:

• Targets internet-exposed SOHO routers, IoT devices, and edge appliances

• Exploits N-day vulnerabilities shortly after disclosure (e.g., CVE-driven spikes like Fortinet)

• Uses automated exploitation and opportunistic scanning of exposed services

• Deploys lightweight malware via download-and-execute bash dropper

2. Botnet Enrollment & Execution:

• Devices are infected with a Linux-based scanning agent (MIPS/MIPS64/MIPSEL)

• The dropper workflow detects system architecture, downloads the appropriate binary from a payload server, executes the agent under a variable process name (e.g., “auditdy”) to evade detection, and finally removes the installer to reduce forensic traces.

• Devices are grouped into tasking clusters via group IDs

3. Command-and-Control (C2) Architecture:

• Operators access infrastructure via hidden Tor services

• C2 uses a Dispatch Service model for task distribution

• Communication uses HTTPS beaconing (/probe_status) and task retrieval (/probe_task) with encrypted payloads secured via AES and base64 encoding/decoding.

• Payload servers also host additional tools (e.g., Platypus reverse shell)

4. Reconnaissance & Scanning Engine:

• Core function is high-volume distributed scanning

• Supports TCP, UDP, SSL, and ICMP-assisted probing

• Collects service banners, TLS versions and certificates, protocol fingerprints, and HTTP responses along with redirect behavior.

• Uses adaptive scanning logic:Raw SYN scanning (fast, low-noise) when privileged,TCP/TLS fallback scanning when limited,UDP/ICMP probing for service validation

5. Adaptive Targeting & Intelligence Collection:

• Receives dynamic fingerprinting rules from C2

• Can rapidly adjust to Newly disclosed vulnerabilities (hours after CVE release), targetting specific vendor (e.g., Fortinet spike behavior)

• Prioritizes selective reconnaissance over indiscriminate scanning

• Focuses heavily on military and high-value infrastructure networks

6. Data Exfiltration & Reporting:

Scan results are:

• Structured (IP, ports, banners, TLS data, domains)

• Compressed and encrypted

• Sent via HTTPS POST to dispatch service (/pscan)

Enables centralized aggregation of global vulnerability intelligence

Exposed SOHO/IoT Device Exploited → JDY Agent Installed → Tor-Based C2 Registration → Dispatch Service Assigns Recon Tasks → Distributed TCP/SSL/UDP/ICMP Scanning → Service Fingerprinting & TLS Harvesting → Encrypted Results Exfiltration → Central Recon Intelligence Hub → Vulnerability Targeting for Follow-On Operations → Persistent Global Recon Network

1. Update FortiClient EMS 7.4.7 or above immediately.
2. Restrict Exposure of Administrative Interfaces
3. Monitor for Anomalous Network Scanning Activity
4. Network Segmentation and Isolation
5. Disable Unused Services and Protocols
6. Continuous Log and Traffic Monitoring

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.