1,500 Devices and Growing: Meet the JDY Botnet
The JDY Botnet has rapidly expanded to more than 1,500 compromised Internet of Things (IoT) and Small Office/Home Office (SOHO) devices, actively exploiting known vulnerabilities in internet-facing systems to grow its infrastructure. Researchers have linked the botnet to China-nexus threat activity, including associations with Volt Typhoon, and have observed the botnet targeting routers, IP cameras, and networking equipment, enabling operators to rapidly weaponize newly disclosed flaws and recruit vulnerable devices into their network.
Unlike traditional botnets that rely primarily on brute-force attacks, JDY employs a vulnerability-driven propagation strategy, continuously scanning for exposed systems and exploiting security weaknesses soon after they become public. Its growing footprint and rapid infection cycle highlight the increasing risks posed by unpatched edge devices, emphasizing the need for timely patching, secure configurations, and continuous monitoring across enterprise and home networks.
Background for JDY Botnet
The JDY Botnet was first identified in December 2023 as a reconnaissance-focused cluster within the larger KV-botnet, a network of compromised SOHO routers and IoT devices linked to China-aligned cyber activity. While the KV cluster primarily functioned as a covert relay network, JDY was responsible for internet-scale scanning and target discovery. Following the disruption of KV-botnet infrastructure by U.S. authorities in early 2024, JDY remained active and evolved into an independent reconnaissance platform. Researchers observed its growth from roughly 650 infected devices in early 2024 to more than 1,500 by mid-2026. The botnet expanded beyond Cisco routers to include devices from vendors such as Cisco, Araknis, DrayTek, Hikvision, Linksys, Mimosa Networks, and Ubiquiti. Unlike traditional botnets used primarily for DDoS attacks, JDY continuously scans the internet, fingerprints exposed services, collects TLS certificates and service metadata, and identifies vulnerable systems shortly after new vulnerabilities are publicly disclosed. The intelligence gathered supports rapid target identification and follow-on exploitation activities associated with China-linked threat actors, including operations targeting government, military, and critical infrastructure networks.
Vulnerability & Affected Products
CVE ID: CVE-2026-35616
CVSS Score: 9.1 Critical
Vulnerability Type: Improper Access Control (CWE-284)
Affected Products: Fortinet FortiClient EMS versions 7.4.5 through 7.4.6
Fixed Version: FortiClient EMS 7.4.7 and later (Fortinet security update released April 2026)
Attack Vector: Network-based attack requiring no authentication or user interaction. Attackers can send crafted requests directly to vulnerable FortiClient EMS servers
Primary Impact: Allows unauthenticated remote attackers to execute unauthorized code or commands on affected FortiClient EMS servers, potentially leading to full system compromise, unauthorized access to enterprise endpoints, privilege escalation, and further lateral movement within the network.
Attack Methodology – JDY Botnet
Phase 1: Initial Exploitation: The JDY IoT botnet leverages exposure of vulnerable internet-facing services across SOHO devices (commonly routers, DVRs, and other embedded systems). Attackers scan for devices with weak or unpatched firmware and exploit known remote code execution flaws or misconfigurations to gain initial access. Successful exploitation results in execution of a bootstrap payload on the device.
Phase 2: Payload Staging and Downloader Execution: Once access is obtained, a lightweight downloader is executed to fetch the main JDY malware binary from attacker-controlled infrastructure. This stage ensures the initial footprint remains minimal and adaptable to different device environments while preparing for full bot deployment.
Phase 3: Multi-Architecture Malware Deployment: The JDY botnet retrieves and executes binaries compiled for multiple processor architectures commonly found in IoT ecosystems, including MIPS, ARM, x86, and others. This allows the botnet to propagate efficiently across heterogeneous embedded device environments without requiring manual adaptation.
Phase 4: Persistence Establishment: After execution, the malware establishes persistence by copying itself into writable system locations such as temporary directories and modifying startup mechanisms where available. This may include system initialization scripts or scheduled tasks that ensure the malware is relaunched after reboot.
Phase 5: Command-and-Control (C2) Registration: The infected device initiates communication with the botnet’s command-and-control infrastructure. A registration handshake is performed, allowing the operator to identify, track, and assign the device into a managed botnet pool for coordinated activity.
Phase 6: Botnet Integration and Tasking: Once registered, the compromised device becomes part of the JDY botnet swarm. It can be instructed to perform distributed scanning, additional exploitation attempts, or participate in coordinated malicious traffic activities such as DDoS attacks or credential probing campaigns.
Phase 7: Propagation and Continuous Scanning: The botnet continuously scans the internet for new vulnerable hosts. When new targets are identified, the same exploitation and payload delivery cycle is repeated, enabling rapid expansion of the infected device pool and sustained propagation across exposed IoT networks.
MITRE ATT&CK: Tactics and Techniques
| TA0043 | Reconnaissance | T1595.002 | Active Scanning: Vulnerability Scanning | Scans the internet using TCP, UDP, SSL, and ICMP probes to identify vulnerable IoT and SOHO devices for compromise. |
| TA0001 | Initial Access | T1105 | Ingress Tool Transfer | Downloads architecture-specific malware payloads and supporting components onto targeted devices. |
| TA0007 | Discovery | T1082 | System Information Discovery | Collects host information including operating system details, CPU architecture, memory statistics, kernel version, and uptime. |
| TA0005 | Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | Performs environmental checks to detect virtual machines and analysis environments before executing malicious activities. |
| TA0011 | Command and Control | T1665 | Hide Infrastructure | Uses Tor hidden services to conceal command-and-control infrastructure and evade tracking or takedown efforts. |
| TA0010 | Exfiltration | T1102 | Web Service | Exfiltrates collected reconnaissance and scanning data to command-and-control servers over HTTP/HTTPS channels. |
| TA0009 | Collection | T1560 | Archive Collected Data | Compresses and encrypts collected scan results and host information before transmitting them to command-and-control infrastructure. |
Indicators of Compromise
Payload Server - 149.248.3[.]38
Visual Attack Flow
Exposed SOHO/IoT Device Exploited → JDY Agent Installed → Tor-Based C2 Registration → Dispatch Service Assigns Recon Tasks → Distributed TCP/SSL/UDP/ICMP Scanning → Service Fingerprinting & TLS Harvesting → Encrypted Results Exfiltration → Central Recon Intelligence Hub → Vulnerability Targeting for Follow-On Operations → Persistent Global Recon Network
Mitigations
- Update FortiClient EMS 7.4.7 or above immediately.
- Restrict Exposure of Administrative Interfaces
- Monitor for Anomalous Network Scanning Activity
- Network Segmentation and Isolation
- Disable Unused Services and Protocols
- Continuous Log and Traffic Monitoring
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.