GoKawiilThe JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts.
According to researchers at Black Lotus Labs by Lumen, who have been monitoring its activity, JDY maintains a strong focus on the United States, where many of its compromised devices are located and where it heavily targets military and associated networks.
The security firm notes that JDY has grown from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today.
While the numbers seem low, it's important to note that JDY isn't an exploitation framework or a DDoS botnet that requires large swarms to accumulate firepower, but is instead a distributed scanning and fingerprinting network that helps its operators locate targets vulnerable to newly disclosed flaws.
"Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors," reads the Black Lotus Labs report.
"This targeted focus has been observed across a range of sectors, with the U.S. military and associated entities as the most prominent."
Most impacted countries by the JDY botnet
Source: Black Lotus Labs
CISA has previously warned about the risk Volt Typhoon operatives pose to unprotected SOHO routers, urging network device vendors to eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases.
The JDY botnet is designed to conduct service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and flaw-focused reconnaissance.
... continue reading