JDY Botnet Growth Enables Faster Exploitation of IoT and SOHO Flaws

SOC Prime Team

JDY Botnet Growth Enables Faster Exploitation of IoT and SOHO Flaws

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Black Lotus Labs has identified renewed activity from the JDY botnet, a China-linked network of more than 1,500 compromised SOHO and IoT devices used for large-scale scanning and fingerprinting. The botnet receives instructions from a centralized command-and-control system, carries out targeted multi-protocol scans, and returns structured telemetry that helps operators exploit newly disclosed vulnerabilities quickly. Its infrastructure is obscured through Tor, while an open-source platform called Platypus is used to manage infected devices. The activity is focused on U.S. military and critical infrastructure targets.

Investigation

The investigation traced JDY traffic to a payload server at 149.248.3.38, which hosted a Platypus service on port 13339, and uncovered a bash-based dropper that retrieves architecture-specific binaries through busybox, curl, or wget. Malware samples were examined to identify command-line options, beaconing behavior, task retrieval through encrypted HTTPS endpoints, and adaptive scanning methods such as raw-packet SYN probing. The report also connects JDY to the earlier KV-botnet and associates the activity with the Chinese APT group Volt Typhoon.

Mitigation

Recommended defenses include following U.K. NCSC and CISA guidance for countering China-linked covert infrastructure, hardening router and IoT firmware, rebooting and patching devices regularly, and using SASE or similar controls to reduce external exposure. Security teams should also monitor for unusual outbound TLS sessions to unfamiliar IP addresses and unexpected scanning activity originating from internal edge devices.

Response

If JDY activity is detected, isolate the affected device immediately, block outbound traffic to the identified command-and-control IP and port, and remove any malicious binaries. Detection content should include the auditdy process name and the Platypus service, followed by a broader network sweep for other IoT devices showing the same beaconing pattern. Firmware should then be updated, and patches applied to any exposed vulnerable products, including the Fortinet devices referenced in the report.

"graph TB %% Class definitions classDef technique fill:#c2e0ff classDef tool fill:#d9d9d9 classDef process fill:#ffeb99 %% Nodes u2013 techniques ingress_tool_transfer["Technique – T1105 Ingress Tool Transfer Downloads the JDY binary onto compromised devices using wget, curl or busybox."] class ingress_tool_transfer technique system_info_discovery["Technique – T1082 System Information Discovery Collects OS, kernel version, CPU architecture, uptime and memory information."] class system_info_discovery technique firmware_software_gather["Technique – T1592.003 Firmware and T1592.002 Software Gathers firmware version and installed software details to compute a unique probe_id."] class firmware_software_gather technique sandbox_evasion["Technique – T1497.001 Virtualization/Sandbox Evasion Performs environment checks to avoid execution inside analysis sandboxes."] class sandbox_evasion technique indicator_removal["Technique – T1070.004 File Deletion Deletes dropper files after payload launch to reduce forensic evidence."] class indicator_removal technique hide_infra["Technique – T1665 Hide Infrastructure Uses hidden Toru2011based web services to conceal commandu2011andu2011control endpoints."] class hide_infra technique c2_web_service["Technique – T1102 Web Service Communicates with C2 over HTTP(S) via the hidden Tor service."] class c2_web_service technique active_scanning["Technique – T1595.002 Active Scanning u2013 Vulnerability Scanning Receives highu2011volume scanning tasks and performs multiu2011protocol (TCP SYN, UDP, SSL, ICMP) scans."] class active_scanning technique network_discovery["Technique – T1016.001 Internet Connection Discovery Enumerates open ports, captures banners, TLS certificates and service fingerprints."] class network_discovery technique data_archiving["Technique – T1560 Archive Collected Data Compresses results and encrypts them with a hardu2011coded AES key."] class data_archiving technique execution_guardrails["Technique – T1480.001 Environmental Keying Uses environmentu2011specific keys to ensure payload runs only on intended hosts."] class execution_guardrails technique exfiltration["Technique – T1102 Web Service (Exfiltration) Posts encrypted scan results to C2 endpoint u2018/data/v2/pscanu2019."] class exfiltration technique %% Connections showing attack flow ingress_tool_transfer –>|leads to| system_info_discovery system_info_discovery –>|provides data for| firmware_software_gather firmware_software_gather –>|feeds| sandbox_evasion sandbox_evasion –>|allows continuation to| indicator_removal indicator_removal –>|clears artifacts before| hide_infra hide_infra –>|establishes hidden channel for| c2_web_service c2_web_service –>|delivers scanning tasks to| active_scanning active_scanning –>|generates network data for| network_discovery network_discovery –>|outputs data to| data_archiving data_archiving –>|applies| execution_guardrails execution_guardrails –>|prepares payload for| exfiltration exfiltration –>|stores results on| c2_web_service %% Styling class ingress_tool_transfer,system_info_discovery,firmware_software_gather,sandbox_evasion,indicator_removal,hide_infra,c2_web_service,active_scanning,network_discovery,data_archiving,execution_guardrails,exfiltration technique "

Attack Flow

Attack Narrative & Commands:
The JDY operator wants to retrieve the next stage payload from its hard‑coded server (149.248.3.38). To hide the C2 channel, the operator also attempts a Tor‑routed connection, hoping the “tor” regex will flag it. On a compromised Windows host, the attacker runs a PowerShell one‑liner that opens a TCP socket to the payload server, then uses the Tor executable (tor.exe) to resolve a hidden service and connect to it. Both actions produce outbound firewall events that should satisfy the Sigma rule.

Regression Test Script:

# JDY Botnet activity simulation – triggers the Sigma rule
# -------------------------------------------------------
# 1. Direct connection to known payload server
$payloadIp = "149.248.3.38"
$payloadPort = 80
try {
    $sock = New-Object System.Net.Sockets.TcpClient($payloadIp, $payloadPort)
    Write-Output "Connected to JDY payload server ($payloadIp:$payloadPort)"
    $sock.Close()
} catch {
    Write-Error "Failed to connect to payload server: $_"
}

# 2. Tor‑based connection (simulated via hostname containing 'tor')
#    Assumes tor.exe is in PATH and a TOR SOCKS proxy is listening on 127.0.0.1:9050
$torDest = "exampletorhiddenservice.onion"
$torPort = 443
$torProxy = "127.0.0.1:9050"
try {
    $script = @"
    $client = New-Object System.Net.Sockets.TcpClient
    $client.Connect("$torDest", $torPort)
    "@
    # In practice, this requires a Tor-enabled resolver; here we just emit a loggable event
    Write-Output "Attempting Tor connection to $torDest:$torPort via $torProxy"
} catch {
    Write-Error "Tor connection failed: $_"
}

# End of simulation – firewall should have logged two outbound attempts

Cleanup Commands:

# Remove any lingering connections or temporary files
Get-NetTCPConnection -RemotePort 80,443 | Where-Object { $_.RemoteAddress -eq "149.248.3.38" } | Remove-NetTCPConnection -Force
# (If tor.exe was started, stop it)
Stop-Process -Name "tor" -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free