A newly discovered cyberattack campaign, dubbed Operation WrtHug, has compromised tens of thousands of ASUS routers that are end-of-life (EoL) or outdated. The operation has recruited these devices into a vast network of botnets.
Over the past six months, SecurityScorecard’s STRIKE team identified more than 50,000 unique IP addresses of compromised devices globally. The most affected regions include Taiwan, the United States and Russia, although infections have also been reported in Southeast Asia and European countries.
Attack Details and Affected Devices
The WrtHug campaign exploits multiple known zero-day (n-day) vulnerabilities in ASUS EoL routers. The main goal of attackers is to gain high privileges on devices.
- Exploited Service: 99% of services that present the indicator of compromise (IoC) are ASUS AiCloud, a proprietary service designed to allow access to local storage over the Internet. Attackers exploit vulnerabilities in this service to infiltrate.
- IoC Specific: All infected routers share a unique self-signed TLS certificate. Interestingly, this certificate has an expiration date set 100 years after April 2022, indicating long-term use.
- Persistence Mechanism: Attackers use command injections and authentication bypasses to deploy persistent backdoors over SSH. They abuse the router’s legitimate functions to ensure that the backdoor survives reboots or firmware updates.
The list of ASUS router models targeted in these attacks includes:
*ASUS Wireless Router 4G-AC55U
- ASUS Wireless Router 4G-AC860U
- ASUS Wireless Router DSL-AC68U
- ASUS Wireless Router GT-AC5300
- ASUS Wireless Router GT-AX11000 *ASUS Wireless Router RT-AC1200HP
- ASUS Wireless Router RT-AC1300GPLUS
- ASUS Wireless Router RT-AC1300UHP
Links to Other Threats and Attribution
Although the actor behind Operation WrtHug has not been formally identified, the extensive targeting of Taiwan and the overlap with tactics seen in ORB (Operational Relay Box) campaigns by Chinese hacking groups suggest that it could be the work of an actor affiliated with China.
The WrtHug campaign shares similarities with other botnet networks and ORBs linked to China. In addition, a potential connection has been found with another botnet of Chinese origin called AyySSHush (also known as ViciousTrap). Seven IP addresses of infected devices have been flagged for showing signs of compromise associated with both WrtHug and AyySSHush campaigns. This connection is based on the shared exploitation of the CVE-2023-39780 vulnerability.
Conclusions and References
Cybersecurity experts note that this research underscores a growing trend of malicious actors attacking routers and other network devices in mass infection operations. These campaigns, often linked to Chinese nexus actors, are executed in a calculated manner to expand their global reach. The exploitation of EoL devices, which do not receive security patches, greatly facilitates the proliferation of these threats.
References
Exploited Vulnerabilities:
- CVE-2023-41345
- CVE-2023-41346
- CVE-2023-41347
- CVE-2023-41348
- CVE-2023-39780
- CVE-2024-12912
- CVE-2025-2492