operation_wrthug
Operation WrtHug is the name given by SecurityScorecard’s STRIKE team to a large-scale router hijacking campaign and ORB-like botnet activity involving approximately 50,000 compromised ASUS routers globally. The activity is described as China-linked, though attribution is not confirmed; SecurityScorecard states the campaign is not exactly an Operational Relay Box (ORB) but bears similarities to China-linked ORBs and botnet-style infrastructure, and the targeting patterns and tactical overlap suggest a possible China-affiliated actor. The campaign has heavily affected outdated and end-of-life ASUS WRT routers, with significant concentrations in Taiwan, the United States, and Russia, and additional infections observed in Southeast Asia and Europe. Reported targeted models include ASUS 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP. SecurityScorecard assessed that the operators leveraged ASUS AiCloud and multiple known n-day vulnerabilities to gain high privileges on exposed devices, including likely exploitation of CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492. The operators reportedly chained command injection and authentication bypass techniques to deploy persistent SSH backdoors, often abusing legitimate router features to survive reboots or firmware updates. Infected routers were observed presenting a distinctive self-signed TLS certificate with a 100-year expiration from April 2022; 99% of services presenting that certificate were identified as ASUS AiCloud. The campaign has been characterized as an espionage-enabling global relay network or 'global spy network.' SecurityScorecard noted limited overlap with the Chinese-origin botnet AyySSHush, also known as ViciousTrap, including seven IPs showing signs of compromise associated with both, but stated there is no evidence of a direct relationship beyond shared vulnerability exploitation. Other ORB campaigns referenced for comparison include LapDogs and PolarEdge. Known alias: operation_wrthug.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operation WrtHug is a botnet of 50,000+ hacked ASUS routers used to relay and hide espionage operations.
Hijacks ASUS home routers globally for espionage, primarily targeting End-of-Life devices and exploiting known vulnerabilities, with a focus on the AiCloud service.
Mass compromise of end-of-life ASUS WRT routers via ASUS AiCloud using multiple n-day vulnerabilities, deploying persistent SSH backdoors and forming a large network with ORB-like characteristics.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.