China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance

Cybersecurity researchers have warned of a "resurgence and expansion" of JDY, a covert network associated with China-nexus state-sponsored threat actors. "The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale," Lumen's

The article reports on the JDY botnet, a China-linked network of over 1,500 compromised SOHO and IoT devices that is being used for large-scale scanning, fingerprinting, and continuous mapping of exposed services to support state-sponsored cyber operations.[1][2] This reconnaissance infrastructure can feed targeting data into advanced offensive tooling, including AI-assisted attack planning and automated exploitation chains. From a CyberSE.AI perspective, organizations relying on internet-exposed SOHO/IoT devices or third-party infrastructure should treat this as a supply-chain style exposure and harden discovery, patching, and segmentation to reduce how much attack-surface telemetry hostile actors can gather. Security teams should also factor adversary reconnaissance at this scale into AI threat modeling, including how attacker-collected service data could be used to train or tune AI systems for more precise and automated attacks.