THE JDY botnet has re‑emerged with a network of over 1,500 compromised devices, up from roughly 650 at the start of the year, according to recent observations. Researchers at SecurityOnline linking the activity to Chinese state‑sponsored actors note that the botnet is primarily used for reconnaissance against military‑related networks. The expansion was first seen on 10 June 2026 and continued through 17 June 2026, indicating a steady growth phase.
The malware targets MIPS‑based routers and embedded systems, often compromising Cisco and Ubiquiti equipment that sits at the network edge. Once infected, a device runs a lightweight scanner that probes for newly disclosed vulnerabilities in adjacent subnets. Command and control traffic is routed through hidden Tor services, which obscures the origin of the scans and makes detection harder.
Although no specific CVE identifiers have been tied to the current JDY campaign, the botnet’s operators are known to weaponise flaws within hours of public disclosure. This rapid exploitation allows the network to harvest credentials and configuration data from devices that administrators have not yet patched. The focus on military‑related targets suggests an intelligence‑gathering motive rather than immediate disruption.
Security researchers tracking the botnet between 10 June and 17 June 2026 observed a steady influx of new infections, with the majority appearing in regions that host defence contractors and government agencies, according to The Hacker News. The use of diverse hardware vendors helps the botnet blend with legitimate traffic, reducing the chance of triggering signature‑based alerts. Analysts warn that the infrastructure could be repurposed for more aggressive operations if the geopolitical climate shifts.
Defenders should begin by ensuring that all edge devices run the latest firmware from their manufacturers, especially for Cisco and Ubiquiti products that are frequently targeted. Disabling remote management interfaces that are not required and restricting access to trusted IP ranges can limit the botnet’s foothold. Network administrators are also advised to monitor outbound connections for Tor entry nodes and to flag any scanning activity that originates from internal addresses.
Maintaining an accurate inventory of Internet‑facing assets helps organisations quickly identify which pieces of hardware may be at risk. Sharing indicators of compromise with trusted partners and participating in information‑sharing groups can improve the community’s ability to block malicious IP addresses associated with the JDY infrastructure. Organisations should also review authentication logs for brute‑force attempts that often precede the installation of the JDY payload. Timely patching combined with vigilant monitoring remains the most effective defence against this evolving threat.