The JDY Botnet has rapidly expanded to more than 1,500 compromised Internet of Things (IoT) and Small Office/Home Office (SOHO) devices, actively exploiting known vulnerabilities in internet-facing systems to grow its infrastructure. Researchers have linked the botnet to China-nexus threat activity, including associations with Volt Typhoon, and have observed the botnet targeting routers, IP cameras, and networking equipment, enabling operators to rapidly weaponize newly disclosed flaws and recruit vulnerable devices into their network.

Unlike traditional botnets that rely primarily on brute-force attacks, JDY employs a vulnerability-driven propagation strategy, continuously scanning for exposed systems and exploiting security weaknesses soon after they become public. Its growing footprint and rapid infection cycle highlight the increasing risks posed by unpatched edge devices, emphasizing the need for timely patching, secure configurations, and continuous monitoring across enterprise and home networks.

Vulnerability & Affected Products

CVE ID: CVE-2026-35616
CVSS Score: 9.1 Critical
Vulnerability Type: Improper Access Control (CWE-284)
Affected Products: Fortinet FortiClient EMS versions 7.4.5 through 7.4.6
Fixed Version: FortiClient EMS 7.4.7 and later (Fortinet security update released April 2026)
Attack Vector: Network-based attack requiring no authentication or user interaction. Attackers can send crafted requests directly to vulnerable FortiClient EMS servers.
Primary Impact: Allows unauthenticated remote attackers to execute unauthorized code or commands on affected FortiClient EMS servers, potentially leading to full system compromise, unauthorized access to enterprise endpoints, privilege escalation, and further lateral movement within the network.

Background

The JDY Botnet was first identified in December 2023 as a reconnaissance-focused cluster within the larger KV-botnet, a network of compromised SOHO routers and IoT devices linked to China-aligned cyber activity. While the KV cluster primarily functioned as a covert relay network, JDY was responsible for internet-scale scanning and target discovery. Following the disruption of KV-botnet infrastructure by U.S. authorities in early 2024, JDY remained active and evolved into an independent reconnaissance platform. Researchers observed its growth from roughly 650 infected devices in early 2024 to more than 1,500 by mid-2026. The botnet expanded beyond Cisco routers to include devices from vendors such as Cisco, Araknis, DrayTek, Hikvision, Linksys, Mimosa Networks, and Ubiquiti. Unlike traditional botnets used primarily for DDoS attacks, JDY continuously scans the internet, fingerprints exposed services, collects TLS certificates and service metadata, and identifies vulnerable systems shortly after new vulnerabilities are publicly disclosed. The intelligence gathered supports rapid target identification and follow-on exploitation activities associated with China-linked threat actors, including operations targeting government, military, and critical infrastructure networks.

Attack Methodology – JDY Botnet

JDY is a China-nexus SOHO and IoT botnet designed for stealthy, distributed reconnaissance and rapid vulnerability discovery, operating through a layered architecture that combines large-scale scanning infrastructure with Tor-based command-and-control (C2) obfuscation. Its attack lifecycle begins with initial compromise, where it primarily targets internet-exposed SOHO routers, IoT devices, and edge appliances. It exploits N-day vulnerabilities shortly after public disclosure, often within hours, leveraging automated exploitation and opportunistic scanning of exposed services to gain access. Once a vulnerable device is identified, a lightweight malware dropper is deployed through a download-and-execute mechanism, typically using bash-based scripts to deliver the payload.

After successful compromise, the device is enrolled into the botnet and executes a Linux-based scanning agent compiled for multiple architectures such as MIPS, MIPS64, and MIPSEL. The dropper workflow involves detecting the system architecture, downloading the appropriate binary from a remote payload server, executing the agent under a variable process name (such as “auditdy”), and removing installation artifacts to reduce forensic traces. Infected devices are then organized into tasking clusters using group identifiers, enabling coordinated and distributed scanning operations across large bot populations.

The command-and-control architecture is accessed by operators through hidden Tor services, which provide anonymity and resilience. JDY uses a dispatch service model for task distribution, where infected nodes periodically communicate with C2 endpoints to receive instructions and return results. Communication typically includes HTTPS beaconing endpoints such as “/probe_status” for status updates and “/probe_task” for task retrieval, along with encrypted payload exchanges that use AES encryption combined with base64 encoding. In some cases, the payload infrastructure also hosts additional tools such as reverse shells, including the Platypus framework, which may be used for follow-on access.

At its core, JDY functions as a high-volume distributed reconnaissance engine capable of scanning the internet at scale. It supports multiple protocols including TCP, UDP, SSL, and ICMP-assisted probing, allowing it to collect detailed service intelligence. This includes service banners, TLS versions and certificates, protocol fingerprints, HTTP responses, and redirect behavior. The scanning logic is adaptive, using raw SYN scanning for fast and low-noise discovery when privileges allow, falling back to full TCP/TLS scanning when constrained, and leveraging UDP or ICMP probing for additional service validation and confirmation.

JDY also incorporates adaptive targeting and intelligence collection driven by dynamic rules issued from its C2 infrastructure. This allows it to rapidly shift focus toward newly disclosed vulnerabilities within hours of public CVE releases and adjust scanning priorities based on specific vendor ecosystems, including enterprise and security infrastructure. Rather than indiscriminate scanning, it performs selective reconnaissance aimed at high-value environments such as government, military, and critical infrastructure networks.

All collected reconnaissance data is structured and includes IP addresses, open ports, service metadata, TLS information, and domain-related observations. This information is compressed, encrypted, and transmitted back to the dispatch service through HTTPS POST requests, commonly using endpoints such as “/pscan”. This centralized collection mechanism enables operators to aggregate global vulnerability intelligence in near real time.

Overall, JDY operates as a reconnaissance-as-a-service platform that supports downstream exploitation within broader China-nexus threat ecosystems. The intelligence it gathers is used for rapid exploitation of newly disclosed vulnerabilities, prioritization of strategically important targets such as defense and military networks, and potential pre-positioning for later-stage cyber operations.

Visual Attack Flow

Exposed SOHO/IoT Device Exploited → JDY Agent Installed → Tor-Based C2 Registration → Dispatch Service Assigns Recon Tasks → Distributed TCP/SSL/UDP/ICMP Scanning → Service Fingerprinting & TLS Harvesting → Encrypted Results Exfiltration → Central Recon Intelligence Hub → Vulnerability Targeting for Follow-On Operations → Persistent Global Recon Network

Mitigations

1. Update FortiClient EMS 7.4.7 or above immediately.
2. Restrict Exposure of Administrative Interfaces
3. Monitor for Anomalous Network Scanning Activity
4. Network Segmentation and Isolation
5. Disable Unused Services and Protocols
6. Continuous Log and Traffic Monitoring

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.