Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The JDY botnet has expanded to more than 1,500 compromised SOHO/IoT devices, making it a larger-scale reconnaissance scanner for exposed infrastructure and follow-on targeting. It now performs targeted scanning and service fingerprinting through a centrally controlled command structure, which increases its value as a discovery layer for attackers. The network’s growth from 650 bots in early January 2024 and its spread across the U.S., Brazil, Europe, and Asia broaden its reach and resilience. Its scan results feed downstream exploitation pipelines, giving operators timely targeting data after vulnerability disclosures.

Related Happenings

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
H score36 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...

Open Happening

China-nexus hijacked-device proxy network campaign

Campaign
H score39 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

How related: the stealthy network comprising compromised SOHO routers, firewalls, and IoT devices has been put to use by Chinese hacking groups like Volt Typhoon.

About this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...

Open Happening

SocksEscort criminal proxy-service ecosystem monetizing residential routers

Threat Actor Meta
H score42 First: 13.03.2026 07:26 Last: 13.03.2026 07:26 Sources 1

About this happening: The **SocksEscort** proxy-service ecosystem turned compromised residential routers into a rentable abuse platform, letting criminal customers hide behind **369,000 IP addresses**...

Open Happening

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
H score28 First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

Open Happening

KadNap botnet turns ASUS routers into residential proxies

Malware Activity
H score28 First: 10.03.2026 17:01 Last: 10.03.2026 17:01 Sources 1

About this happening: The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...

Open Happening

Timeline

  1. 10.06.2026 19:08 2 articles · 1h ago

    Initial report: JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

    Initial Disclosure

    The **JDY** cluster first emerged inside **KV-botnet** in mid-December 2023, before the broader network was disrupted in early 2024. After that takedown, the operators kept the reconnaissance capability alive and expanded it beyond the original router-heavy footprint.

    Show sources
    Open in new tab