Researchers at Lumen’s Black Lotus Labs have uncovered a covert spy network called JDY, linked to Chinese state-sponsored hackers, that has quietly taken over more than 1,500 everyday home routers and smart devices. The operators use these hijacked gadgets — located largely in the U.S. and Brazil — as a launchpad for reconnaissance: scanning networks for weaknesses, gathering information, and setting the stage for follow-on attacks. By routing traffic through devices in your neighborhood, the attackers make it harder for security teams to flag their activity as foreign.
The botnet targets small-office and home-office equipment from popular brands including Cisco (RV320 and RV325 routers), Linksys, Ubiquiti, Hikvision cameras, Draytek, and Mimosa Networks devices. Owners typically have no idea their router has been recruited into the operation, because the devices continue to work normally on the surface.
How to check if you’re affected
Affected devices include home Wi-Fi routers and smart cameras from Cisco (RV320/RV325 models), Linksys, Ubiquiti, Hikvision, Draytek, and Mimosa Networks that haven’t received recent firmware updates. A few quick steps can significantly reduce your risk:
- Update your router’s firmware. Log in to your router’s admin page (usually at 192.168.1.1 or 192.168.0.1) and look for a “Firmware Update” or “Software Update” option. Apply any available updates.
- Change your admin password. If you’re still using the default password printed on the back of your router, change it to something unique.
- Turn off remote management. In your router settings, look for “Remote Administration” or “Remote Access” and disable it if it’s on.
- Restart your router. A reboot clears any malware that is only running in memory (though a full firmware update is still needed for persistent infections).
If your router model is listed above and is several years old with no available firmware updates, contact your internet provider or consider replacing it with a current model.