Natto Thoughts

Natto Thoughts

Private Industry & Tools

Reconnaissance Scanning Tools Used by Chinese Threat Actors and Those Available in Open Source

China has its own ecosystem of scanning tools, whether for good or ill.

Natto Team's avatar
Natto Team
Sep 04, 2024
∙ Paid

Note added June 24, 2026

Several prominent cyber threat intelligence reports published in 2026 detail how Chinese state-sponsored threat actors are evolving their use of scanning and reconnaissance tools. Rather than relying on simple, indiscriminate network scans, these groups have industrialized their reconnaissance phase, often using AI automation and vast botnets of compromised devices to identify targets and map environments with extreme stealth. For example, on June 10, 2026, Black Lotus Labs exposed the resurgence and expansion of JDY, a covert botnet associated with China-nexus advanced persistent threat (APT) groups, including Volt Typhoon. The report revealed that the botnet is intentionally used as a conduit to feed “structured reconnaissance data” into a broader Chinese state scanning infrastructure.

These reports recall the Natto Team’s this research published on September 4, 2024, which detailed China’s ecosystem of scanning tools and those used by Chinese threat actors. T…

User's avatar

Continue reading this post for free, courtesy of Natto Team.

Or purchase a paid subscription.
© 2026 Natto Thoughts · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture