Around 50,000 ASUS routers have been compromised in a sophisticated attack that researchers believe may be linked to China, according to findings released today by SecurityScorecard’s STRIKE team.
Dubbed “Operation WrtHug”, the campaign exclusively targets end-of-life ASUS WRT routers, exploiting multiple known vulnerabilities – some dating back to 2023. The affected routers are primarily concentrated in Taiwan and Southeast Asia, with minimal impact on mainland China, Russia, or the United States.
Attackers are exploiting six security flaws, including:
- Four high-severity command injection bugs from 2023 (CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348) – all rated 8.8
- CVE-2024-12912 (7.2)
- CVE-2025-2492 (9.2)
The 2023 vulnerabilities are linked to CVE-2023-39780, another command injection flaw that was added to CISA’s Known Exploited Vulnerabilities catalog in February, and previously used in the AyySSHush operational relay box (ORB) campaign that compromised more than 8,000 ASUS routers in May, uncovered by GreyNoise.
GreyNoise’s VP of data science, Bob Rudis, said at the time that the attack had all the hallmarks of “an advanced, well-resourced adversary,” and suggested that “one of the Typhoons” – Chinese state-sponsored cyber espionage crews – may be behind it.
STRIKE researchers found only seven devices compromised by both campaigns, despite attackers using identical exploits and targeting the same end-of-life devices
“This leads us to speculate that WrtHug and AyySSHush may be a single, evolving campaign or two separate campaigns from the same actor,” the team’s report stated. “It could also be two campaigns from coordinated actors.
“For the time being, we lack substantial evidence beyond the shared vulnerability to support these speculations. We will continue to track Operation WrtHug as a separate campaign until such evidence arises.”
Most of the confirmed compromises are in Taiwan and Southeast Asia, reinforcing the notion that China is behind the attacks. None are in mainland China, outside of Hong Kong, STRIKE says, and central Europe, Russia, and the US were affected only to a lesser extent.
“Due to this noticeable alignment with previous TTPs in ORB campaigns from Chinese advanced persistent threat (APT) actors, as well as the geographical focus of the campaign, we assess with low-to-moderate confidence that Operation WrtHug is an ORB facilitation campaign from an unknown China-affiliated actor,” the report states.
ORBs differ from botnets in that they focus on enabling stealthier espionage activity, concealing network traffic to support tasks such as data theft. Botnets are often associated with larger and louder attacks, like DDoS.
The clearest infection indicator is an unusual self-signed TLS certificate on the device’s AiCloud service. Compromised routers share an identical certificate with a 100-year expiration date from April 2022.
“This is an extremely high and uncommon shelf life for a single TLS certificate,” STRIKE’s report notes.
The report contains a deeper list of indicators of compromise for those hunting threats, however, the best mitigation advice is to simply patch the vulnerabilities, or upgrade to a router that still receives security updates. ®