A Chinese state-linked botnet has grown to 1,500 hacked routers and is mapping vulnerable targets within hours of disclosure

TL;DRChina-linked JDY botnet grew from 650 to 1,500+ hacked SOHO devices. It scans for new vulnerabilities within hours and feeds targeting data to state hackers.

A covert botnet linked to Chinese state-sponsored hackers has more than doubled in size and is now scanning for newly disclosed vulnerabilities within hours of publication. The JDY botnet comprises over 1,500 compromised small office and home office routers, firewalls, and IoT devices, according to new research from Lumen’s Black Lotus Labs. Most of the infected nodes are in the United States and Brazil.

JDY was first identified in December 2023 as a cluster within the KV-botnet, a network used by the Chinese hacking group Volt Typhoon. The FBI took down KV-botnet in early 2024. But JDY survived, adapted, and has since evolved into what Black Lotus Labs describes as an independent, high-performance reconnaissance capability.

The botnet does not attack targets directly. It scans, fingerprints, and maps exposed services at scale, then feeds the results to Chinese nation-state groups for follow-on exploitation. Black Lotus Labs calls it an “industrialised reconnaissance effort.” The data flows to central servers for ongoing intelligence gathering.