Mass Compromise of Asus Routers in 'WrtHug' Espionage Campaign
Tens of thousands of Asus routers have been compromised in a large-scale cyberespionage campaign dubbed 'WrtHug,' with a significant concentration of affected devices located in Taiwan. Security researchers from SecurityScorecard identified that the attackers, suspected to be linked to Chinese state-sponsored groups, are leveraging these compromised routers as part of operational relay box (ORB) networks to obfuscate malicious activity and facilitate cyber operations. The campaign is characterized by the use of self-signed TLS certificates with expiration dates set for the year 2122, a notable deviation from the typical decade-long certificates generated by Asus routers, and is associated with the AiCloud file-sharing service.
Researchers estimate that approximately 50,000 unique internet addresses have been affected by the WrtHug campaign. While definitive attribution to Chinese actors has not been established, multiple indicators suggest the operation aligns with Beijing's broader strategy of exploiting unpatched routers and IoT devices for cyberespionage. The use of ORBs enables threat actors to mask their true origins and conduct a range of nefarious activities, highlighting the ongoing risk posed by vulnerable consumer networking equipment in global cyber operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Media report documents 'WrtHug' campaign targeting Asus routers
GovInfoSecurity and BankInfoSecurity reported on a campaign dubbed 'WrtHug' involving hacked Asus routers. The available references provide no further technical or chronological details beyond the existence of the campaign.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation WrtHug Compromises Tens of Thousands of ASUS WRT Routers
A large-scale cyberattack, dubbed Operation WrtHug, has compromised approximately 50,000 end-of-life ASUS WRT routers, primarily targeting devices in Taiwan, Southeast Asia, and to a lesser extent, the U.S. and Russia. SecurityScorecard's STRIKE team attributes the campaign to a likely China-linked threat actor, exploiting six known vulnerabilities (including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492) to hijack outdated routers and rope them into a botnet-like network. The attackers leverage the proprietary ASUS AiCloud service, using n-day vulnerabilities to gain high privileges and control over the devices, with all infected routers sharing a unique self-signed TLS certificate set to expire in 2122. Researchers note similarities between Operation WrtHug and previous campaigns such as AyySSHush, which also targeted ASUS routers using related vulnerabilities, but only a handful of devices have been compromised by both, suggesting either an evolving campaign or coordinated actors. The majority of affected routers are concentrated in Taiwan and Southeast Asia, with minimal impact observed in mainland China, Russia, or the United States. The campaign highlights the ongoing risk posed by unpatched, end-of-life network hardware and the increasing sophistication of state-linked cyber operations targeting consumer and small business infrastructure.
Mar 21, 2026
Operation WrtHug Backdoors Thousands of ASUS Routers for Espionage
Researchers reported a stealthy cyber-espionage campaign, dubbed **Operation WrtHug**, that compromised thousands of ASUS home and small-office routers and implanted persistent backdoors designed to survive routine remediation. The activity was described as state-sponsored and focused on covert access rather than disruptive attacks, with the malware hiding on edge devices that are rarely monitored but provide durable footholds inside victim networks. The campaign used router hijacking to maintain long-term control and blend into normal internet traffic, turning consumer networking gear into espionage infrastructure. Reporting from SecurityScorecard, Ars Technica, and IT Pro indicates the operation was global in scope and notable for its persistence, with attackers leveraging compromised routers as low-visibility access points that could support surveillance, traffic interception, and follow-on intrusions against connected environments.
May 25, 2026
Persistent SSH Backdoor Compromises Thousands of Asus Routers
GreyNoise reported that a stealthy campaign dubbed **AyySSHush** compromised more than 9,000 internet-exposed Asus routers by exploiting authentication weaknesses and `CVE-2023-39780`, then establishing persistence without deploying conventional malware. The attackers enabled SSH on TCP port `53282`, inserted their own public key for remote access, and stored the configuration in NVRAM so the backdoor survives reboots and standard firmware upgrades. Researchers said the operation was unusually quiet and targeted, with GreyNoise observing only a few dozen malicious HTTP POST requests over several months, while the attackers also disabled logging and Asus **AiProtection** to reduce the chance of detection. Asus released firmware updates to address the documented vulnerability and undocumented login bypasses, but devices already compromised require manual cleanup or a full factory reset because upgrading firmware alone does not remove the implanted SSH access. The incident echoes earlier large-scale router compromises such as **VPNFilter**, the sophisticated botnet that infected hundreds of thousands of routers and NAS devices, used modular malware, and raised fears of disruptive operations tied to Ukraine; together, the cases underscore how edge devices can be quietly converted into durable footholds for botnet activity and potential follow-on attacks.
May 25, 2026