![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhobMT02o23BS6CE-40CnDYj3IQVSqv3apTkF3HtqYDFynC2mjFp18in8p28QxQA438jGQLHzCVPfw7tyDXTZXBTljbTwdCYBu5YnaFD1PSBfNdQFTtCgRgpqKy3ejAQjIJAJdVzBNriwb1YYvz7X6zOyXbWQ4h1lC3k6YjJgj_4rjdJ5UmKc8U17rnpE7g/s790-rw-e365/asus.jpg\")
A recently uncovered cyber campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers globally, with a focus on Taiwan, the U.S., and Russia, to include them in a large network.
The malicious activity targeting routers has been given the name Operation WrtHug by SecurityScorecard’s STRIKE team. Other regions affected by the infections include Southeast Asia and European countries.
The attacks are believed to exploit six known security vulnerabilities in end-of-life ASUS WRT routers to gain control over vulnerable devices. Interestingly, all infected routers share a self-signed TLS certificate set to expire 100 years from April 2022.
SecurityScorecard revealed that 99% of the affected services utilize ASUS AiCloud, a service that facilitates internet access to local storage.
![\"DFIR](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-X-E4jERutAGUVjhgWkMe8ShYj1nqWzq1SqeBFJikipPF-xT70YnaSLlaR3UkhNP8Q47kifLbAEGXpknthRo_lfqDawf05df5ozIbkBTrupYoGXl8axiISZxIKgHQ8GOm47oYIZ9l8PnjNrSw_NpS6YzSZzvy0bhoqKd91EG3BcIs3jONhIjeB4iXl-dY/s738-e100/zz--inside-d.png\")
The campaign leverages the AiCloud service with undisclosed vulnerabilities to escalate privileges on End-Of-Life ASUS WRT routers,\” as per a report shared with The Hacker News. The operation shares similarities with other China-linked Operational Relay Box (ORB) campaigns and botnet networks.
The attacks are likely exploiting vulnerabilities identified as CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492 for propagation. Additionally, the exploitation of CVE-2023-39780 has been linked to another Chinese-origin botnet called AyySSHush (aka ViciousTrap). Recent ORB campaigns targeting routers include LapDogs and PolarEdge.
Of the infected devices, seven IP addresses have shown signs of compromise related to both WrtHug and AyySSHush, hinting at a potential connection between the two clusters. However, beyond the shared vulnerability, there is no concrete evidence to support this theory.
The list of router models targeted in the attacks includes:
- ASUS Wireless Router 4G-AC55U
- ASUS Wireless Router 4G-AC860U
- ASUS Wireless Router DSL-AC68U
- ASUS Wireless Router GT-AC5300
- ASUS Wireless Router GT-AX11000
- ASUS Wireless Router RT-AC1200HP
- ASUS Wireless Router RT-AC1300GPLUS
- ASUS Wireless Router RT-AC1300UHP
![\"CIS](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_HDUlvbnYoGKWPtfjTL83IuUQ73P6igcLnrsVdRjU2sVKjgD6kcX1QX3psmxbKnQ-GfeZ5xCNgnJF64an1ZS4C9mxkNAfVoSaNVMTGdlCMv4nchoUdLGCDbdB6BQWiRScizTQjINO1DArRQdcgzs5CbapyRNjTVLX_RBZ4eS9Kg3iB7UkazuU0e5YlPLZ/s728-e100/sem-d.png\")
The identity of the actors behind the operation remains unknown, but the substantial focus on Taiwan and similarities with previous ORB tactics by Chinese hacking groups suggest a potential China-affiliated origin.
According to SecurityScorecard, this research underscores the emerging trend of malicious actors targeting routers and network devices on a large scale. These operations are often associated with China Nexus actors, who execute their campaigns methodically to expand their global influence.
\”Threat actors have been able to establish persistent backdoors via SSH by exploiting command injections and authentication bypasses, leveraging legitimate router functionalities to ensure their presence remains even after reboots or firmware updates,\” SecurityScorecard emphasized.
