China-nexus hijacked-device proxy network campaign
Campaign
Summary
Hide ▲
Show ▼
China-nexus hackers are using JDY, a covert SOHO/IoT reconnaissance network, to expand targeted scanning and service fingerprinting across exposed infrastructure. The botnet has grown to 1,500+ compromised devices, uses Tor-controlled C2/payload servers, and can switch between raw-socket SYN scanning and standard TCP/TLS/UDP/ICMP probing to collect structured reconnaissance data. Researchers say the activity supports broader adversary targeting and exploitation pipelines, with abuse of newly disclosed edge-device flaws such as CVE-2026-35616 to deliver a shell-script dropper and payloads.
Related Happenings
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices
Malware Activity
H score33
First: 10.06.2026 19:08
Last: 10.06.2026 19:08
Sources 1
How related:
The malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, carry out high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server.
About this happening:
The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...
JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices
Malware ActivityHow related: The malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, carry out high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server.
About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...
17-Million-device botnet cyberattack infrastructure
Malware Activity
H score16
First: 29.05.2026 17:26
Last: 29.05.2026 17:26
Sources 1
About this happening:
**Dutch authorities** disrupted a **botnet** that controlled at least **17 million infected devices** and used **more than 200 servers in the Netherlands**. The network was used t...
17-Million-device botnet cyberattack infrastructure
Malware ActivityAbout this happening: **Dutch authorities** disrupted a **botnet** that controlled at least **17 million infected devices** and used **more than 200 servers in the Netherlands**. The network was used t...
Latest development: 31.05.2026 15:22
Dutch police and the NCSC said the botnet controlled at least 17 million infected devices and used more than 200 servers in the Netherlands; local reporting linked the service to Asocks residential proxies, and the infrastructure provider reportedly took the botnet offline after the police seizure.
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Timeline
-
23.04.2026 15:28 3 articles · 2mo ago
NCSC-UK warns on China-nexus proxy networks
Initial DisclosureNCSC-UK and international partners warn that China-nexus hackers are increasingly using large-scale proxy networks built from hijacked consumer devices, including compromised SOHO routers, IoT and smart devices, cameras, video recorders, and NAS equipment, to route traffic through chained nodes and evade geographic detection; the advisory also recommends multifactor authentication, network-edge mapping, dynamic threat feeds, IP allowlists, zero-trust controls, and machine certificate verification.
Show sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
- China-Backed Hackers Are Industrializing Botnets — www.darkreading.com — 23.04.2026 23:52
- China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance — thehackernews.com — 10.06.2026 19:08