A new cyber campaign, dubbed Operation WrtHug, has compromised tens of thousands of ASUS routers globally, primarily impacting devices in Taiwan, the U.S., and Russia. This widespread hijacking aims to co-opt vulnerable router hardware into a massive botnet network. SecurityScorecard’s STRIKE team identified the campaign, noting infections also occurring in Southeast Asia and European countries.
The attacks are believed to exploit six known security vulnerabilities affecting end-of-life ASUS WRT routers. Compounding the risk, all compromised devices share a distinctive, self-signed TLS certificate that appears to have an expiration date set for 100 years from April 2022. SecurityScorecard’s analysis indicates that 99% of services presenting this certificate are associated with ASUS AiCloud, a proprietary service that offers remote access to local storage.
Operation WrtHug: Exploiting End-of-Life ASUS Router Vulnerabilities
Operation WrtHug leverages vulnerabilities within the ASUS AiCloud service to gain elevated privileges on outdated ASUS WRT routers. According to SecurityScorecard, while not identical, the campaign shares characteristics with other Operational Relay Box (ORB) and botnet networks often linked to China-Nexus actors. This tactic highlights a growing trend of threat actors targeting network devices for large-scale compromise.
The methods employed for proliferation likely involve exploiting vulnerabilities cataloged as CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492. Notably, CVE-2023-39780 has also been implicated in the activities of another Chinese-origin botnet known as AyySSHush, also referred to as ViciousTrap. This latest campaign follows similar router-targeting ORBs like LapDogs and PolarEdge observed in recent months.
Evidence suggests potential overlap between WrtHug and AyySSHush, with seven IP addresses exhibiting signs of compromise linked to both operations. However, concrete evidence beyond the shared vulnerability exploitation is absent to confirm a definitive connection between these two clusters or to definitively attribute the Operation WrtHug campaign to a specific actor. The extensive targeting of Taiwan, coupled with tactical similarities to previous campaigns from Chinese threat groups, points towards a potential affiliation with Chinese-nexus actors.
Targeted ASUS Router Models
A list of specific ASUS router models identified as targets in the Operation WrtHug campaign includes:
- ASUS Wireless Router 4G-AC55U
- ASUS Wireless Router 4G-AC860U
- ASUS Wireless Router DSL-AC68U
- ASUS Wireless Router GT-AC5300
- ASUS Wireless Router GT-AX11000
- ASUS Wireless Router RT-AC1200HP
- ASUS Wireless Router RT-AC1300GPLUS
- ASUS Wireless Router RT-AC1300UHP
The investigation into the full scope and attribution of Operation WrtHug is ongoing. The strategy of chaining command injections and authentication bypasses allows threat actors to establish persistent backdoors via SSH. Furthermore, the abuse of legitimate router features is employed to ensure the persistence of these backdoors across reboots and firmware updates. This sophisticated approach underscores the persistent threat posed by compromised router infrastructure.
The findings emphasize the critical need for users to maintain updated firmware on their network devices and to replace end-of-life (EoL) hardware. The longevity of the self-signed certificate used in the campaign suggests a deliberate effort to maintain long-term access. SecurityScorecard indicates that these types of mass infection operations by China-Nexus actors are carefully planned to expand their global reach. Future investigations will likely focus on identifying the specific command-and-control infrastructure and further understanding the ultimate goals of the Operation WrtHug campaign, including any potential links to specific victimology beyond the compromised devices themselves.