The JDY botnet, operationally linked to Volt Typhoon (CISA G1017), has grown to over 1,500 compromised SOHO routers, firewalls, and IoT devices from Cisco (RV320/RV325 — end-of-life), DrayTek, Hikvision, Ubiquiti, Araknis Networks, Mimosa Networks, and Linksys. The botnet scans for newly disclosed vulnerabilities within hours of public release and feeds structured targeting intelligence to downstream Chinese nation-state operations. Cisco RV320/RV325 are end-of-life and will not receive further firmware patches, making device replacement a requirement rather than an option.