China-linked JDY botnet expands targeting of U.S. military networks

The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts.

According to researchers at Black Lotus Labs by Lumen, who have been monitoring its activity, JDY maintains a strong focus on the United States, where many of its compromised devices are located and where it heavily targets military and associated networks.

The security firm notes that JDY has grown from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today.

While the numbers seem low, it's important to note that JDY isn't an exploitation framework or a DDoS botnet that requires large swarms to accumulate firepower, but is instead a distributed scanning and fingerprinting network that helps its operators locate targets vulnerable to newly disclosed flaws.

"Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors," reads the Black Lotus Labs report.