Persistent SSH Backdoor Compromises Thousands of Asus Routers
GreyNoise reported that a stealthy campaign dubbed AyySSHush compromised more than 9,000 internet-exposed Asus routers by exploiting authentication weaknesses and CVE-2023-39780, then establishing persistence without deploying conventional malware. The attackers enabled SSH on TCP port 53282, inserted their own public key for remote access, and stored the configuration in NVRAM so the backdoor survives reboots and standard firmware upgrades. Researchers said the operation was unusually quiet and targeted, with GreyNoise observing only a few dozen malicious HTTP POST requests over several months, while the attackers also disabled logging and Asus AiProtection to reduce the chance of detection.
Asus released firmware updates to address the documented vulnerability and undocumented login bypasses, but devices already compromised require manual cleanup or a full factory reset because upgrading firmware alone does not remove the implanted SSH access. The incident echoes earlier large-scale router compromises such as VPNFilter, the sophisticated botnet that infected hundreds of thousands of routers and NAS devices, used modular malware, and raised fears of disruptive operations tied to Ukraine; together, the cases underscore how edge devices can be quietly converted into durable footholds for botnet activity and potential follow-on attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Asus releases fixes, warns infected routers need manual remediation
Asus released firmware updates to address CVE-2023-39780 and undocumented login bypasses used in the campaign. However, previously compromised routers require manual cleanup or a full factory reset because normal firmware upgrades do not remove the persistent SSH backdoor.
More than 9,000 internet-exposed Asus routers found compromised
Censys data cited by GreyNoise indicated that over 9,000 internet-exposed Asus routers had been compromised in the campaign. The findings showed the operation had achieved broad reach despite its stealthy and low-volume activity.
GreyNoise discovers stealthy AyySSHush campaign targeting Asus routers
GreyNoise said it discovered a low-noise botnet campaign in March 2025 that targeted Asus routers by abusing authentication weaknesses and CVE-2023-39780. The operation used only a small number of malicious HTTP POST requests over several months, indicating a highly selective intrusion pattern.
Attackers establish persistent SSH backdoor on compromised Asus routers
The AyySSHush operators enabled SSH on TCP port 53282, installed their own public key, and stored the configuration in NVRAM so access would survive reboots and firmware upgrades. The campaign also disabled logging and Asus AiProtection to reduce visibility on infected devices.
FBI urges router owners to reboot amid Russia-linked malware threat
US authorities publicly urged consumers to reboot vulnerable routers to disrupt VPNFilter infections and help identify compromised devices. Reporting tied the malware to Russian-linked actors based on code overlap with BlackEnergy and prior DHS assessments, though formal attribution remained limited.
Researchers warn VPNFilter may be preparing attacks on Ukraine
Cisco assessed that recent VPNFilter activity was concentrated on Ukrainian devices and may have been intended to support disruptive cyber operations in Ukraine. Researchers noted a dedicated command-and-control server for Ukrainian victims and raised concern around upcoming high-profile dates in Kyiv.
VPNFilter botnet infects over 500,000 routers and NAS devices
Cisco researchers reported that more than 500,000 routers and QNAP NAS devices in 54 countries had been compromised by the newly identified VPNFilter malware. The malware used a multi-stage modular design with persistence, traffic sniffing, SCADA monitoring, Tor-based command-and-control, and a destructive device-wiping capability.
Sources
7 references tracked. Mallory keeps watching after this page renders.
9,000 Asus routers compromised by botnet attack and persistent SSH backdoor that even firmware updates can't fix | Tom's Hardware
tomshardware.com
Open sourceThousands of ASUS routers compromised in sophisticated hacking campaign | Cybersecurity Dive
cybersecuritydive.com
Open sourceReboot your router to avoid Russian malware: What you need to know | PCWorld
pcworld.com
Open sourceF.B.I.’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware - The New York Times
nytimes.com
Open sourceHackers infect 500,000 consumer routers all over the world with malware - Ars Technica
arstechnica.com
Open sourceNation-State Group Hacked 500,000 Routers to Prepare a Cyber-Attack on Ukraine
bleepingcomputer.com
Open sourceDefending Against the New VPNFilter Botnet
fortinet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation WrtHug Backdoors Thousands of ASUS Routers for Espionage
Researchers reported a stealthy cyber-espionage campaign, dubbed **Operation WrtHug**, that compromised thousands of ASUS home and small-office routers and implanted persistent backdoors designed to survive routine remediation. The activity was described as state-sponsored and focused on covert access rather than disruptive attacks, with the malware hiding on edge devices that are rarely monitored but provide durable footholds inside victim networks. The campaign used router hijacking to maintain long-term control and blend into normal internet traffic, turning consumer networking gear into espionage infrastructure. Reporting from SecurityScorecard, Ars Technica, and IT Pro indicates the operation was global in scope and notable for its persistence, with attackers leveraging compromised routers as low-visibility access points that could support surveillance, traffic interception, and follow-on intrusions against connected environments.
May 25, 2026
Mass Compromise of Asus Routers in 'WrtHug' Espionage Campaign
Tens of thousands of Asus routers have been compromised in a large-scale cyberespionage campaign dubbed 'WrtHug,' with a significant concentration of affected devices located in Taiwan. Security researchers from SecurityScorecard identified that the attackers, suspected to be linked to Chinese state-sponsored groups, are leveraging these compromised routers as part of operational relay box (ORB) networks to obfuscate malicious activity and facilitate cyber operations. The campaign is characterized by the use of self-signed TLS certificates with expiration dates set for the year 2122, a notable deviation from the typical decade-long certificates generated by Asus routers, and is associated with the AiCloud file-sharing service. Researchers estimate that approximately 50,000 unique internet addresses have been affected by the WrtHug campaign. While definitive attribution to Chinese actors has not been established, multiple indicators suggest the operation aligns with Beijing's broader strategy of exploiting unpatched routers and IoT devices for cyberespionage. The use of ORBs enables threat actors to mask their true origins and conduct a range of nefarious activities, highlighting the ongoing risk posed by vulnerable consumer networking equipment in global cyber operations.
Mar 21, 2026
Operation WrtHug Compromises Tens of Thousands of ASUS WRT Routers
A large-scale cyberattack, dubbed Operation WrtHug, has compromised approximately 50,000 end-of-life ASUS WRT routers, primarily targeting devices in Taiwan, Southeast Asia, and to a lesser extent, the U.S. and Russia. SecurityScorecard's STRIKE team attributes the campaign to a likely China-linked threat actor, exploiting six known vulnerabilities (including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492) to hijack outdated routers and rope them into a botnet-like network. The attackers leverage the proprietary ASUS AiCloud service, using n-day vulnerabilities to gain high privileges and control over the devices, with all infected routers sharing a unique self-signed TLS certificate set to expire in 2122. Researchers note similarities between Operation WrtHug and previous campaigns such as AyySSHush, which also targeted ASUS routers using related vulnerabilities, but only a handful of devices have been compromised by both, suggesting either an evolving campaign or coordinated actors. The majority of affected routers are concentrated in Taiwan and Southeast Asia, with minimal impact observed in mainland China, Russia, or the United States. The campaign highlights the ongoing risk posed by unpatched, end-of-life network hardware and the increasing sophistication of state-linked cyber operations targeting consumer and small business infrastructure.
Mar 21, 2026