Researchers say the China-linked JDY botnet has grown to more than 1,500 compromised small-office/home-office and internet-connected devices and is increasingly used to probe U.S. military and related networks. Black Lotus Labs says JDY is tied to China-nexus activity previously associated with Volt Typhoon and is used for distributed scanning, banner grabbing, TLS certificate collection, and fingerprinting to find vulnerable systems soon after flaws are disclosed, including scans for FortiClient EMS bug CVE-2026-35616. The botnet uses infected routers and IoT devices from vendors including Cisco, Ubiquiti, DrayTek, Hikvision, Linksys, Araknis, and Mimosa, with command-and-control routed through Tor hidden services.
Why it matters: This matters because compromised routers and IoT gear are being used to quietly map weak points in networks tied to sensitive U.S. targets, helping follow-on intrusions. Organizations should patch exposed network devices quickly, reduce internet-facing services, and watch for scanning and unusual activity from SOHO and IoT infrastructure.
info@thehackernews.com (The Hacker News)
2026.06.10
98% relevant
The article appears to cover the same underlying event: expansion of the China-linked JDY botnet to more than 1,500 devices and its use for reconnaissance focused on U.S. military networks.
Bill Toulas
2026.06.10
100% relevant
This article establishes a distinct story about the JDY botnet's expansion, its China-linked reconnaissance role, and its specific focus on U.S. military-associated targets rather than a single already-tracked exploit or policy event.
← Back to all stories