A covert botnet linked to the Chinese nation-state actors Volt Typhoon – and first observed in 2023 – has more than doubled in size and is now actively targeting the US military and associated entities, new research finds.

Researchers at Lumen's Black Lotus Labs say the Beijing-backed JDY reconnaissance botnet has almost tripled its attack surface in recent months – compromising a whopping 1500 small office and home office (SOHO) and Internet of Things (IoT) devices.

The devices are said to be physically located throughout Europe, Asia, and the Americas, with the majority located in the United States.

These devices include routers and other edge devices where monitoring and endpoint protection are limited, the research says, including devices such as firewalls, servers, VPNs, storage devices, surveillance cameras, DVRs, mobile devices, and even thermostats.

According to a detailed report published Wednesday, JDY “operates as a centrally controlled, high-performance scanner used to discover, fingerprint and continuously map exposed services at scale.”

JDY moves fast on newly disclosed flaws

The Chinese advanced persistent threat (APT) actors are said to be exploiting the exposed devices using newly disclosed vulnerabilities almost as quickly as the flaws become public.

"The speed at which threat actors weaponize vulnerabilities continues to shrink," the researchers warned, noting that exposed internet-facing devices remain attractive targets because many organizations struggle to patch them quickly.

The researchers say one of the more notable discoveries was “a selective increase in scans of Fortinet equipment” immediately after the company disclosed a new critical vulnerability this April.

China-linked botnet gathers intelligence at scale

Researchers say that, in addition to focusing on vulnerability reconnaissance, JDY command-and-control (C2) servers direct the botnet to collect service and banner details, , as well as TLS certificates, protocol metadata, and perform high-volume TCP, UDP, SSL, and ICMP‑assisted probing.

The results are then fed “to central servers for low-profile, continuous intelligence gathering that aids China-nexus threat actors.”

This larger botnet infrastructure is said to support additional cyber operations, such as follow-on asset discovery, target identification, vulnerability-targeting pipelines, and further downstream exploitation, as well as aggregation and analysis.

The intelligence gathering is reminiscent of previous Chinese espionage campaigns, particularly by Volt Typhoon, who have been found lurking in the computer networks at US ports, water utilities, airports, and other infrastructure targets since 2024.

Routers help attackers hide in plain sight

Researchers say the botnet has also expanded its victim pool by targeting a growing list of routers and other embedded devices – increasingly attractive targets for both cybercriminals and advanced threat actors.

Unlike traditional endpoints, many network devices remain online for years, frequently run outdated firmware, and are often managed by small IT teams or consumers who may never install security updates.

“Previously, the JDY cluster was comprised exclusively of two Cisco router models: RV320 and RV325.”

Currently, the bot network is comprised of multiple devices from nearly a dozen manufacturers, including Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys, they said.

“By distributing scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked,” Black Lotus Labs said.

This also allows compromised device activity to seamlessly blend in with legitimate user traffic, while also maintaining global reach and persistence, they noted.

From KV-botnet to Volt Typhoon concerns

Black Lotus Labs says the JDY cluster was first observed in December 2023 – one of four botnet clusters linked to the then recently discovered KV-botnet.

The KV Botnet was described by researchers as “a covert network of thousands of SOHO routers and firewall devices used by China-based APTs, most notably Volt Typhoon, to conduct espionage and intelligence operations targeting US critical infrastructure.”

Although partly dismantled by the US government soon after, Black Lotus Labs said the JDY cluster remained an active threat, infecting a known 650 devices at the time.

That concern has intensified following a series of warnings about Volt Typhoon, which has been repeatedly accused of infiltrating critical infrastructure networks across the US since 2021.

US officials have previously said Volt Typhoon relied heavily on compromised routers and other network equipment to spread its JDY malware to other devices.

Suspicions of persistent access to US infrastructure have led the White House to recently restrict certain Chinese and other foreign-made networking equipment over national security concerns.

Meanwhile, in 2024, China claimed that US intelligence agencies crafted the Volt Typhoon narrative “to win public support and pressure policymakers to allow the extension of invasive US surveillance powers.”

Black Lotus Labs recommends that defenders follow guidance issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) on hardening systems, reducing external attack surfaces and remediating devices compromised by Chinese APTs, specifically Volt Typhoon.

The researchers also urge defenders to follow best practices for routers, firewalls, and IoT devices, such as regularly rebooting and installing security updates and patches.

---

Unlock more exclusive Cybernews content on YouTube.