AyySSHush

AyySSHush, also referred to as ViciousTrap, is a botnet/threat activity targeting Internet-exposed edge devices, especially ASUS routers. GreyNoise named the ASUS-focused malware AyySSHush and assessed it is very likely the same actor that Sekoia tracks as ViciousTrap. The activity has also been described as likely being used to build a large operational relay box (ORB) network. The campaign infected thousands of ASUS routers, with reporting indicating a peak of about 12,000 Internet-exposed devices and more than 8,500 still visible at the time of publication. It spread across unpatched and weakly protected ASUS routers, gaining initial access by brute-forcing router login pages or exploiting known authentication bypass vulnerabilities. The actor targeted CVE-2023-39780, a high-severity command injection flaw, and also abused a flaw in the BWDPI logging function to execute system commands. The malware undermined ASUS AiProtection and modified router settings to enable persistent SSH access, storing the configuration in NVRAM so the backdoor survived reboots and firmware upgrades. Reporting also links ViciousTrap to compromises of other edge devices, including Linksys, D-Link, QNAP, Araknis Networks, and ASUS devices. One report states that exploitation of CVE-2023-39780 has been linked to a Chinese-origin botnet dubbed AyySSHush (aka ViciousTrap). Another report notes limited overlap between AyySSHush/ViciousTrap and the ASUS-router campaign dubbed Operation WrtHug, including seven IP addresses associated with both, but states there is no evidence of a direct relationship beyond shared exploitation of the same vulnerability. The available content does not conclusively attribute the actor to a specific state, but it explicitly describes AyySSHush/ViciousTrap as a Chinese-origin botnet.