Bottom Line: A China-linked botnet with over 1,500 compromised devices systematically maps exposed services for state-sponsored intelligence gathering.
Security researchers document an expansion of the JDY botnet, operated by state-sponsored actors with China ties. The network now comprises over 1,500 SOHO and IoT devices and is being used for large-scale network reconnaissance.
The JDY botnet functions as a centrally controlled scanning system with high performance capabilities. Its primary function is to discover exposed services, capture their characteristics, and continuously map publicly accessible services. According to researchers from Lumen, the network constitutes a distributed intelligence collection tool consisting of compromised SOHO routers and IoT devices.
The expansion to over 1,500 infected devices points to a systematic strategy for infrastructure mapping, which typically precedes target network pre-reconnaissance. Such large-scale scanning enables operators to identify vulnerabilities in security configurations and locate potential attack vectors before conducting targeted exploitation.
For CISOs, this is an indicator of active state-sponsored intelligence gathering, as a botnet of this size and level of control suggests infrastructure resources that typically only state-funded actors mobilize. The continuous mapping of exposed services means that new entry points into potential target organizations are regularly identified.
Source: thehackernews.com · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.