Operation WrtHug Backdoors Thousands of ASUS Routers for Espionage
Researchers reported a stealthy cyber-espionage campaign, dubbed Operation WrtHug, that compromised thousands of ASUS home and small-office routers and implanted persistent backdoors designed to survive routine remediation. The activity was described as state-sponsored and focused on covert access rather than disruptive attacks, with the malware hiding on edge devices that are rarely monitored but provide durable footholds inside victim networks.
The campaign used router hijacking to maintain long-term control and blend into normal internet traffic, turning consumer networking gear into espionage infrastructure. Reporting from SecurityScorecard, Ars Technica, and IT Pro indicates the operation was global in scope and notable for its persistence, with attackers leveraging compromised routers as low-visibility access points that could support surveillance, traffic interception, and follow-on intrusions against connected environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Britons warned about Russian hackers targeting routers for espionage
UK residents were publicly warned that Russian hackers were targeting internet routers to support cyber-espionage activity. The warning marked a government or public-facing response that broadened the story from technical discovery of ASUS compromises to national security guidance for potential victims.
IT Pro reports campaign as state-sponsored hijacking of ASUS routers
A later report characterized the ASUS router intrusions as a state-sponsored cyber-espionage campaign affecting thousands of devices. It reiterated the scale and espionage nature of the operation rather than introducing a separate incident.
SecurityScorecard publicly details Operation WrtHug
SecurityScorecard published research on Operation WrtHug, describing it as a global cyber-espionage campaign targeting edge devices and home/office routers for long-term persistence and covert access. The report tied the activity to a state-sponsored threat and expanded public understanding of the campaign's scope and tradecraft.
Thousands of ASUS routers are found backdoored in espionage campaign
Researchers reported that roughly 9,000 ASUS routers had been compromised in a stealthy campaign later tracked as Operation WrtHug. The attackers used living-off-the-land techniques, disabled logging, and stored their backdoor in non-volatile settings so it would survive firmware updates and reboots.
Attackers begin compromising ASUS routers via authentication bypass
Threat actors started exploiting a command-injection flaw and an authentication bypass to gain administrative access to internet-exposed ASUS routers, then enabled SSH on a custom port and installed persistent access. SecurityScorecard said the campaign had been active since at least March 2025.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router - SecurityScorecard
securityscorecard.com
Open sourceBritons warned about Russian hackers targeting internet routers for espionage | Cybercrime | The Guardian
theguardian.com
Open sourceThousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaign | IT Pro
itpro.com
Open sourceThousands of Asus routers are being hit with stealthy, persistent backdoors - Ars Technica
arstechnica.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mass Compromise of Asus Routers in 'WrtHug' Espionage Campaign
Tens of thousands of Asus routers have been compromised in a large-scale cyberespionage campaign dubbed 'WrtHug,' with a significant concentration of affected devices located in Taiwan. Security researchers from SecurityScorecard identified that the attackers, suspected to be linked to Chinese state-sponsored groups, are leveraging these compromised routers as part of operational relay box (ORB) networks to obfuscate malicious activity and facilitate cyber operations. The campaign is characterized by the use of self-signed TLS certificates with expiration dates set for the year 2122, a notable deviation from the typical decade-long certificates generated by Asus routers, and is associated with the AiCloud file-sharing service. Researchers estimate that approximately 50,000 unique internet addresses have been affected by the WrtHug campaign. While definitive attribution to Chinese actors has not been established, multiple indicators suggest the operation aligns with Beijing's broader strategy of exploiting unpatched routers and IoT devices for cyberespionage. The use of ORBs enables threat actors to mask their true origins and conduct a range of nefarious activities, highlighting the ongoing risk posed by vulnerable consumer networking equipment in global cyber operations.
Mar 21, 2026
Operation WrtHug Compromises Tens of Thousands of ASUS WRT Routers
A large-scale cyberattack, dubbed Operation WrtHug, has compromised approximately 50,000 end-of-life ASUS WRT routers, primarily targeting devices in Taiwan, Southeast Asia, and to a lesser extent, the U.S. and Russia. SecurityScorecard's STRIKE team attributes the campaign to a likely China-linked threat actor, exploiting six known vulnerabilities (including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492) to hijack outdated routers and rope them into a botnet-like network. The attackers leverage the proprietary ASUS AiCloud service, using n-day vulnerabilities to gain high privileges and control over the devices, with all infected routers sharing a unique self-signed TLS certificate set to expire in 2122. Researchers note similarities between Operation WrtHug and previous campaigns such as AyySSHush, which also targeted ASUS routers using related vulnerabilities, but only a handful of devices have been compromised by both, suggesting either an evolving campaign or coordinated actors. The majority of affected routers are concentrated in Taiwan and Southeast Asia, with minimal impact observed in mainland China, Russia, or the United States. The campaign highlights the ongoing risk posed by unpatched, end-of-life network hardware and the increasing sophistication of state-linked cyber operations targeting consumer and small business infrastructure.
Mar 21, 2026
Persistent SSH Backdoor Compromises Thousands of Asus Routers
GreyNoise reported that a stealthy campaign dubbed **AyySSHush** compromised more than 9,000 internet-exposed Asus routers by exploiting authentication weaknesses and `CVE-2023-39780`, then establishing persistence without deploying conventional malware. The attackers enabled SSH on TCP port `53282`, inserted their own public key for remote access, and stored the configuration in NVRAM so the backdoor survives reboots and standard firmware upgrades. Researchers said the operation was unusually quiet and targeted, with GreyNoise observing only a few dozen malicious HTTP POST requests over several months, while the attackers also disabled logging and Asus **AiProtection** to reduce the chance of detection. Asus released firmware updates to address the documented vulnerability and undocumented login bypasses, but devices already compromised require manual cleanup or a full factory reset because upgrading firmware alone does not remove the implanted SSH access. The incident echoes earlier large-scale router compromises such as **VPNFilter**, the sophisticated botnet that infected hundreds of thousands of routers and NAS devices, used modular malware, and raised fears of disruptive operations tied to Ukraine; together, the cases underscore how edge devices can be quietly converted into durable footholds for botnet activity and potential follow-on attacks.
May 25, 2026