Find notable cyber news and cases, enriched with sources, timelines, and signals.

China-nexus hijacked-device proxy network campaign

Campaign
First reported
Last updated
Happening score
H score 43
3 unique sources, 3 articles

Summary

Hide ▲

China-nexus hackers are using JDY, a covert SOHO/IoT reconnaissance network, to expand targeted scanning and service fingerprinting across exposed infrastructure. The botnet has grown to 1,500+ compromised devices, uses Tor-controlled C2/payload servers, and can switch between raw-socket SYN scanning and standard TCP/TLS/UDP/ICMP probing to collect structured reconnaissance data. Researchers say the activity supports broader adversary targeting and exploitation pipelines, with abuse of newly disclosed edge-device flaws such as CVE-2026-35616 to deliver a shell-script dropper and payloads.

Related Happenings

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
H score33 First: 10.06.2026 19:08 Last: 10.06.2026 19:08 Sources 1

How related: The malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, carry out high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server.

About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...

17-Million-device botnet cyberattack infrastructure

Malware Activity
H score16 First: 29.05.2026 17:26 Last: 29.05.2026 17:26 Sources 1

About this happening: **Dutch authorities** disrupted a **botnet** that controlled at least **17 million infected devices** and used **more than 200 servers in the Netherlands**. The network was used t...

Latest development: 31.05.2026 15:22

Dutch police and the NCSC said the botnet controlled at least 17 million infected devices and used more than 200 servers in the Netherlands; local reporting linked the service to Asocks residential proxies, and the infrastructure provider reportedly took the botnet offline after the police seizure.

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
H score36 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...

Timeline

  1. 23.04.2026 15:28 3 articles · 2mo ago

    NCSC-UK warns on China-nexus proxy networks

    Initial Disclosure

    NCSC-UK and international partners warn that China-nexus hackers are increasingly using large-scale proxy networks built from hijacked consumer devices, including compromised SOHO routers, IoT and smart devices, cameras, video recorders, and NAS equipment, to route traffic through chained nodes and evade geographic detection; the advisory also recommends multifactor authentication, network-edge mapping, dynamic threat feeds, IP allowlists, zero-trust controls, and machine certificate verification.

    Show sources