Operation WrtHug: 50,000+ Outdated ASUS Routers Hacked for Covert Botnet
A widespread infection of outdated ASUS routers has become the focal point of a new covert campaign that quietly unfolded over the past six months, compromising tens of thousands of devices across the globe. The attackers targeted routers long abandoned by the manufacturer, turning these neglected network appliances into an ideal foundation for building a distributed infrastructure of forgotten hardware.
The STRIKE team at SecurityScorecard has designated this activity as Operation WrtHug. The highest concentration of compromised devices was observed in Taiwan, the United States, and Russia, though evidence of the campaign has surfaced throughout East Asia and Europe as well. According to researchers, more than 50,000 unique IP addresses have been identified, all tied to infected routers linked together into a single network.
Analysis revealed that the devices share the same self-signed TLS certificate with an unusual validity period of one hundred years, beginning in April 2022. Nearly all services presenting this certificate belonged to ASUS’s AiCloud feature, which enables remote access to local storage components.
The intrusions were carried out by exploiting six vulnerabilities in the ASUS WRT product line — devices that have not received security updates for years. These flaws allowed attackers to obtain privileged access and establish persistence, paving the way for remote control of the equipment. Researchers note that the tactics closely resemble those seen in ORB-style botnets previously associated with groups operating out of China.
Although the current operation does not perfectly mirror the classic ORB playbook, the shared indicators suggest a similar architectural logic and comparable objectives. One detail of particular interest is that one of the exploited flaws, CVE-2023-39780, had earlier been abused by another China-linked botnet known as AyySSHush (also referred to as ViciousTrap).
Additional overlap was found at the node level: seven IP addresses showed evidence of compromise by both WrtHug and AyySSHush. While there is no definitive proof tying the campaigns together, the matching intrusion vectors leave open the possibility of a shared origin or the exchange of tooling within a common ecosystem. The picture is further reinforced by other ORB-aligned operations — such as LapDogs and PolarEdge — which have also been active against routers in recent months.
Several models were affected, including the 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP. All belong to product lines that no longer receive technical support, leaving them acutely vulnerable as new exploitation methods emerge.
The origin of the attacks has not yet been determined. However, the sustained focus on Taiwan, combined with methodological similarities to earlier operations linked to Chinese threat actors, suggests the likely involvement of an unidentified entity acting in the interests of a group from that region. The report’s authors emphasize that mass infections of network hardware are becoming an increasingly prominent trend, and the adversaries operating in this sphere are strategic, deliberate, and intent on expanding their reach beyond local networks.
The intrusion process relies on a deliberate sequence of command manipulation and circumvention of authentication checks. This enables the deployment of persistent SSH-based backdoors that survive device reboots and even firmware updates. As a result, every vulnerable access point becomes a durable foothold — a long-term anchor for the construction of a distributed platform supporting future malicious operations.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
