Operation WrtHug Compromises Tens of Thousands of ASUS WRT Routers
A large-scale cyberattack, dubbed Operation WrtHug, has compromised approximately 50,000 end-of-life ASUS WRT routers, primarily targeting devices in Taiwan, Southeast Asia, and to a lesser extent, the U.S. and Russia. SecurityScorecard's STRIKE team attributes the campaign to a likely China-linked threat actor, exploiting six known vulnerabilities (including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492) to hijack outdated routers and rope them into a botnet-like network. The attackers leverage the proprietary ASUS AiCloud service, using n-day vulnerabilities to gain high privileges and control over the devices, with all infected routers sharing a unique self-signed TLS certificate set to expire in 2122.
Researchers note similarities between Operation WrtHug and previous campaigns such as AyySSHush, which also targeted ASUS routers using related vulnerabilities, but only a handful of devices have been compromised by both, suggesting either an evolving campaign or coordinated actors. The majority of affected routers are concentrated in Taiwan and Southeast Asia, with minimal impact observed in mainland China, Russia, or the United States. The campaign highlights the ongoing risk posed by unpatched, end-of-life network hardware and the increasing sophistication of state-linked cyber operations targeting consumer and small business infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reporting links WrtHug to suspected China-aligned espionage activity
Subsequent coverage described the campaign as likely tied to a suspected China-state threat actor based on targeting patterns and overlap with prior Chinese router-compromise operations. The compromised routers were assessed as more likely to support covert espionage and relay activity than disruptive botnet operations.
ASUS urges mitigations and firmware upgrades for affected routers
Following disclosure of the campaign, ASUS said updates were available for the exploited issues and advised customers to upgrade firmware, replace unsupported devices, or disable remote access features. The guidance was aimed at reducing exposure on older routers that can no longer be fully protected.
SecurityScorecard discloses Operation WrtHug affecting about 50,000 ASUS routers
On publication of the research, SecurityScorecard's STRIKE team reported roughly 50,000 unique IPs tied to compromised ASUS routers worldwide, with the highest concentration in Taiwan and additional victims in the U.S., Russia, Central Europe, and parts of Asia. Researchers said the routers were likely being used as operational relay box infrastructure, while attribution remained unconfirmed.
Compromised routers identified by unusual 100-year AiCloud TLS certificate
SecurityScorecard researchers found that 99% of infected devices presented a distinctive self-signed AiCloud TLS certificate with a validity period of 100 years from April 2022. This indicator was used to enumerate the scope of the campaign across the internet.
Attackers begin exploiting ASUS router flaws in WrtHug campaign
Operation WrtHug used multiple known ASUS WRT vulnerabilities, including flaws disclosed in 2023, 2024, and 2025, to compromise mostly outdated or end-of-life routers and install persistent SSH backdoors. The campaign appears to have abused ASUS AiCloud functionality to gain high privileges and maintain access across reboots or firmware updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
How to know if your Asus router is one of thousands hacked by China-state hackers
arstechnica.com
Open sourceTens of thousands more ASUS routers pwned by suspected, evolving China operation
go.theregister.com
Open sourceWrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide
thehackernews.com
Open sourceNew WrtHug campaign hijacks thousands of end-of-life ASUS routers
bleepingcomputer.com
Open sourceOperation WrtHug hijacks 50,000+ ASUS routers to build a global botnet
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mass Compromise of Asus Routers in 'WrtHug' Espionage Campaign
Tens of thousands of Asus routers have been compromised in a large-scale cyberespionage campaign dubbed 'WrtHug,' with a significant concentration of affected devices located in Taiwan. Security researchers from SecurityScorecard identified that the attackers, suspected to be linked to Chinese state-sponsored groups, are leveraging these compromised routers as part of operational relay box (ORB) networks to obfuscate malicious activity and facilitate cyber operations. The campaign is characterized by the use of self-signed TLS certificates with expiration dates set for the year 2122, a notable deviation from the typical decade-long certificates generated by Asus routers, and is associated with the AiCloud file-sharing service. Researchers estimate that approximately 50,000 unique internet addresses have been affected by the WrtHug campaign. While definitive attribution to Chinese actors has not been established, multiple indicators suggest the operation aligns with Beijing's broader strategy of exploiting unpatched routers and IoT devices for cyberespionage. The use of ORBs enables threat actors to mask their true origins and conduct a range of nefarious activities, highlighting the ongoing risk posed by vulnerable consumer networking equipment in global cyber operations.
Mar 21, 2026
Operation WrtHug Backdoors Thousands of ASUS Routers for Espionage
Researchers reported a stealthy cyber-espionage campaign, dubbed **Operation WrtHug**, that compromised thousands of ASUS home and small-office routers and implanted persistent backdoors designed to survive routine remediation. The activity was described as state-sponsored and focused on covert access rather than disruptive attacks, with the malware hiding on edge devices that are rarely monitored but provide durable footholds inside victim networks. The campaign used router hijacking to maintain long-term control and blend into normal internet traffic, turning consumer networking gear into espionage infrastructure. Reporting from SecurityScorecard, Ars Technica, and IT Pro indicates the operation was global in scope and notable for its persistence, with attackers leveraging compromised routers as low-visibility access points that could support surveillance, traffic interception, and follow-on intrusions against connected environments.
May 25, 2026
Persistent SSH Backdoor Compromises Thousands of Asus Routers
GreyNoise reported that a stealthy campaign dubbed **AyySSHush** compromised more than 9,000 internet-exposed Asus routers by exploiting authentication weaknesses and `CVE-2023-39780`, then establishing persistence without deploying conventional malware. The attackers enabled SSH on TCP port `53282`, inserted their own public key for remote access, and stored the configuration in NVRAM so the backdoor survives reboots and standard firmware upgrades. Researchers said the operation was unusually quiet and targeted, with GreyNoise observing only a few dozen malicious HTTP POST requests over several months, while the attackers also disabled logging and Asus **AiProtection** to reduce the chance of detection. Asus released firmware updates to address the documented vulnerability and undocumented login bypasses, but devices already compromised require manual cleanup or a full factory reset because upgrading firmware alone does not remove the implanted SSH access. The incident echoes earlier large-scale router compromises such as **VPNFilter**, the sophisticated botnet that infected hundreds of thousands of routers and NAS devices, used modular malware, and raised fears of disruptive operations tied to Ukraine; together, the cases underscore how edge devices can be quietly converted into durable footholds for botnet activity and potential follow-on attacks.
May 25, 2026