Back to Intelligence

Defending Critical Infrastructure Against the Expanded JDY Botnet Campaign

SA
Security Arsenal Team
June 10, 2026
7 min read

Introduction

The threat landscape facing U.S. critical infrastructure and military networks has escalated with the reported expansion of the JDY compromised device network. Previously associated with the state-sponsored group Volt Typhoon, this botnet has shifted from opportunistic scanning to highly targeted reconnaissance against U.S. military and defense industrial base (DIB) networks.

For SOC analysts and defenders, this is not just a headline; it is an active call to action. The JDY botnet functions by enslaving small office/home office (SOHO) routers and end-of-life (EOL) network devices, transforming them into covert proxy nodes. This allows threat actors to route malicious traffic through legitimate IP addresses, effectively bypassing geoblocking and making attribution difficult. Defenders must assume that network perimeter devices are currently under siege and act to validate the integrity of their edge infrastructure.

Technical Analysis

Affected Infrastructure

While the specific CVE identifiers for the initial access vectors on these devices are not detailed in the current intelligence update, historical analysis of JDY and Volt Typhoon campaigns indicates a heavy reliance on unpatched, EOL networking equipment. This includes routers from major vendors that have reached end-of-support status and no longer receive security patches.

Attack Chain and Tactics

  1. Initial Compromise: Threat actors exploit weak default credentials or unpatched vulnerabilities in internet-facing SOHO routers and IoT devices.
  2. Botnet Integration: The compromised device is enrolled in the JDY network, often receiving modified firmware or malicious binaries to maintain persistence and proxy capabilities.
  3. Proxying and Reconnaissance: The actor uses the compromised device as a jump host. They tunnel reconnaissance traffic (scanning, port probing) through the device to target U.S. military networks. This obfuscates the source of the attack, making it appear as though traffic originates from a residential or small business ISP.
  4. Living Off the Land: To avoid detection, the actors utilize built-in networking tools (e.g., ping, traceroute, socat) on the compromised routers rather than dropping easily detectable malware files.

Exploitation Status

Intelligence confirms active exploitation. This is a "in-the-wild" scenario. The JDY network is not a theoretical construct; it is currently operational and expanding its scope of targets. The absence of a specific 2025/2026 CVE in this report suggests the actors are successfully leveraging existing weaknesses in configuration and patch management rather than relying on a new zero-day.

Detection & Response

Detecting a compromised router acting as a proxy node is challenging because the device itself is often "outside" the traditional visibility of the SOC (no EDR agent). Therefore, detection relies heavily on network telemetry (NetFlow, Firewall logs, Zeek/Bro data) to identify behavioral anomalies.

SIGMA Rules

The following rules target network behaviors indicative of a device acting as a proxy or participating in a botnet. Focus on high connection volumes and non-standard port usage.

YAML
---
title: Potential Botnet Proxy Activity - High Egress Connection Count
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects internal hosts contacting a high number of unique external IP addresses, potentially indicative of a compromised proxy node or scanning activity.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: firewall
detection:
  selection:
    Initiated: 'true'
  condition: selection | count(DestinationIp) > 50
timeframe: 5m
falsepositives:
  - Legitimate update servers
  - High-traffic web proxies
level: high
---
title: Suspicious Outbound Traffic on Non-Standard Ports
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Identifies outbound connections from internal network ranges to external destinations on non-standard ports commonly used for tunneling or proxying by botnets.
references:
  - https://attack.mitre.org/techniques/T1572/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1572
logsource:
  category: network_connection
  product: firewall
detection:
  selection:
    DestinationPort|notin:
      - 80
      - 443
      - 22
      - 53
    SourceAddress|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection
falsepositives:
  - VoIP traffic
  - Gaming traffic
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query identifies internal IP addresses communicating with a large number of distinct external endpoints, a strong indicator of proxying behavior or botnet participation.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
let Threshold = 50;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where ActionType == "ConnectionInitiated"
| extend ExternalIP = iff(RemoteIPType == "Public", RemoteIP, "")
| where isnotempty(ExternalIP)
| summarize DistinctExternalIPs = dcount(ExternalIP), ExternalIPList = make_set(ExternalIP, 100) by LocalIP, DeviceName
| where DistinctExternalIPs > Threshold
| order by DistinctExternalIPs desc
| project LocalIP, DeviceName, DistinctExternalIPs, ExternalIPList

Velociraptor VQL

While EDR is rare on routers, this artifact hunts for suspicious network connections on Linux-based servers or gateways that might be compromised, looking for established connections to unknown external endpoints.

VQL — Velociraptor
-- Hunt for active established connections to unknown external hosts
SELECT Fqdn, RemoteAddr, RemotePort, State, Pid, StartTime
FROM netstat()
WHERE State = 'ESTABLISHED'
  -- Exclude common local/private IP ranges to focus on egress
  AND NOT regex(source=RemoteAddr, pattern='^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)')
  -- Exclude standard web ports to reduce noise (tune as needed)
  AND RemotePort NOT IN (80, 443)

Remediation Script (Bash)

Use this script on Linux-based edge devices (routers/gateways) to check for common compromise indicators and harden the configuration. Note: This must be run with root privileges.

Bash / Shell
#!/bin/bash

# JDY Botnet Hardening and Verification Script
# Run with elevated privileges

LOG_FILE="/var/log/jdy_hardening.log"
echo "Starting JDY Hardening Check - $(date)" >> $LOG_FILE

# 1. Check for unknown users in passwd file (UID >= 1000)
echo "[+] Checking for unauthorized user accounts..." >> $LOG_FILE
grep -E ':[0-9]{4,}:' /etc/passwd | grep -v -E '(nobody|systemd)' >> $LOG_FILE

# 2. Check listening network services
# Look for processes listening on non-standard high ports
netstat -tulpn | grep LISTEN | awk '{print $4, $7}' >> $LOG_FILE

# 3. Disable Telnet if active (common vector)
if systemctl is-active --quiet telnet.socket || systemctl is-enabled --quiet telnet.socket; then
    echo "[!] Telnet is active. Disabling..." >> $LOG_FILE
    systemctl stop telnet.socket
    systemctl disable telnet.socket
else
    echo "[+] Telnet is not active." >> $LOG_FILE
fi

# 4. Ensure SSH is configured securely (Root login disabled)
if [ -f /etc/ssh/sshd_config ]; then
    if grep -q "^PermitRootLogin yes" /etc/ssh/sshd_config; then
        echo "[!] Root login via SSH is permitted. Hardening..." >> $LOG_FILE
        sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
        systemctl restart sshd
    else
        echo "[+] SSH Root login check passed." >> $LOG_FILE
    fi
fi

echo "Hardening complete. Review $LOG_FILE."

Remediation

Given the active exploitation status of the JDY network, immediate defensive actions are required:

  1. Asset Inventory & EOL Identification: Conduct an immediate inventory of all network perimeter devices (routers, firewalls, VPN concentrators). Identify any devices that are End-of-Life (EOL) or End-of-Support (EOS). Action: Plan for the immediate replacement or segmentation of EOL devices.

  2. Credential Hygiene: Enforce a policy of changing default credentials on all network devices. Use strong, unique passwords for local administrative accounts and enforce Multi-Factor Authentication (MFA) for management interfaces.

  3. Disable Unused Management Interfaces: Ensure that management interfaces (SSH, Telnet, HTTP/HTTPS) are not exposed to the public internet unless absolutely necessary. Utilize VPNs or jump hosts for administrative access.

  4. Network Segmentation: Isolate IoT and SOHO devices from critical operational networks. If a device is compromised, segmentation prevents it from being used as a pivot point to access military or sensitive data.

  5. Traffic Analysis: Enable NetFlow or sFlow data collection on perimeter routers. Analyze baseline traffic patterns and configure alerts for deviations, such as sudden increases in outbound connections or traffic to unusual ports.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemjdy-botnetvolt-typhoonthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action