Executive Summary
In June 2026, cybersecurity researchers identified a significant expansion of the JDY botnet, a network linked to Chinese state-sponsored actors such as Volt Typhoon. The botnet, which has grown from approximately 650 active bots in January 2024 to over 1,500 compromised small office/home office (SOHO) and Internet of Things (IoT) devices, primarily targets U.S. military and associated networks. JDY functions as a distributed scanning and fingerprinting network, rapidly identifying vulnerable infrastructure shortly after public vulnerability disclosures, thereby facilitating swift exploitation by advanced persistent threat (APT) actors.
This development underscores the escalating sophistication and persistence of state-sponsored cyber threats, particularly those emanating from China. The rapid operationalization of reconnaissance data by APT groups highlights the critical need for organizations, especially within the defense sector, to enhance their cybersecurity posture, promptly apply patches, and implement robust monitoring to detect and mitigate such threats.
Why This Matters Now
The JDY botnet's rapid expansion and focus on U.S. military networks highlight the urgent need for enhanced cybersecurity measures to protect national security interests against sophisticated state-sponsored cyber threats.
Attack Path Analysis
The JDY botnet, linked to Chinese state-sponsored actors, compromised over 1,500 SOHO and IoT devices to conduct large-scale reconnaissance. It exploited newly disclosed vulnerabilities to gain initial access, escalated privileges to perform high-speed scanning, moved laterally to map vulnerable infrastructure, established command and control via hidden Tor services, and exfiltrated reconnaissance data to central servers for further exploitation.
Kill Chain Progression
Initial Compromise
Description
The JDY botnet exploited newly disclosed vulnerabilities in SOHO and IoT devices to gain initial access.
Related CVEs
CVE-2026-35616
CVSS 9.8An improper access control vulnerability in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute unauthorized code or commands via crafted requests.
Affected Products:
Fortinet FortiClientEMS – 7.4.5, 7.4.6
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
Network Service Scanning
Active Scanning: Vulnerability Scanning
Valid Accounts
Proxy: Multi-hop Proxy
Exploitation for Client Execution
External Remote Services
Remote Services: SMB/Windows Admin Shares
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
Primary target of China-linked JDY botnet reconnaissance operations focusing on U.S. military networks through compromised SOHO routers and IoT devices for vulnerability exploitation.
Telecommunications
Critical infrastructure exposure through compromised network devices from Cisco, Ubiquiti, and others enabling lateral movement and command-and-control operations across telecommunications backbone systems.
Computer/Network Security
Security infrastructure compromised via botnet targeting of firewalls and edge devices, undermining zero trust segmentation and encrypted traffic monitoring capabilities across enterprise networks.
Government Administration
Government networks vulnerable to reconnaissance and data exfiltration through compromised edge devices, requiring enhanced egress security and anomaly detection for critical administrative systems.
Sources
- China-linked JDY botnet expands targeting of U.S. military networkshttps://www.bleepingcomputer.com/news/security/china-linked-jdy-botnet-expands-targeting-of-us-military-networks/Verified
- Expanded JDY IoT and SOHO botnet enables rapid vulnerability exploitationhttps://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitationVerified
- Vulnerability impacting Fortinet FortiClientEMS - CVE-2026-35616https://www.cyber.gc.ca/en/alerts-advisories/al26-007-vulnerability-impacting-fortinet-forticlientems-cve-2026-35616Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the JDY botnet's ability to exploit vulnerabilities, escalate privileges, and move laterally within the network, thereby reducing the potential blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The botnet's ability to exploit vulnerabilities in SOHO and IoT devices would likely be constrained, reducing the scope of initial access.
Control: Zero Trust Segmentation
Mitigation: The botnet's ability to escalate privileges and perform high-speed scanning would likely be constrained, reducing its operational effectiveness.
Control: East-West Traffic Security
Mitigation: The botnet's ability to move laterally and map internal network services would likely be constrained, reducing its ability to identify and exploit vulnerable infrastructure.
Control: Multicloud Visibility & Control
Mitigation: The botnet's ability to establish covert command and control channels would likely be constrained, reducing its ability to manage compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: The botnet's ability to exfiltrate reconnaissance data to external servers would likely be constrained, reducing the risk of data leakage.
The ability of state-sponsored actors to exploit identified vulnerabilities would likely be constrained, reducing the potential impact on critical infrastructure.
Impact at a Glance
Affected Business Functions
- Network Security Management
- Endpoint Protection
- Incident Response
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive military network configurations and access credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the botnet's ability to scan internal networks.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads during initial compromise attempts.
- • Ensure Encrypted Traffic (HPE) to protect data in transit and prevent interception during exfiltration stages.
