A classy botnet marketing campaign dubbed “AyySSHush” has compromised over 9,000 ASUS routers worldwide, establishing persistent backdoor entry that survives firmware updates and reboots.
The stealthy operation, first detected in March 2025, demonstrates superior nation-state-level tradecraft by exploiting authentication vulnerabilities and legit router options to keep up long-term management with out deploying conventional malware.
Assault Chain Exploiting ASUS Routers
The attackers make use of a multi-stage exploitation method that begins with brute-force login makes an attempt towards ASUS router interfaces, adopted by leveraging two beforehand undisclosed authentication bypass vulnerabilities.
As soon as privileged entry is obtained, the risk actors exploit CVE-2023-39780, an authenticated command injection flaw in ASUS router firmware, to execute arbitrary system instructions.
The essential payload exploits the oauth_google_refresh_token parameter via a POST request to /start_apply.htm, injecting the command contact /tmp/BWSQL_LOG to allow Bandwidth SQL logging options.
This manipulation creates an assault vector via susceptible capabilities within the router’s bwsdpi_sqlite binary that go user-controlled information on to system() calls.
The attackers then allow SSH entry on the non-standard TCP port 53282 and inject their public SSH key (truncated):
This configuration change persists throughout firmware upgrades as a result of it makes use of official ASUS settings saved in non-volatile reminiscence (NVRAM).
GreyNoise’s discovery was made attainable via their AI-powered risk looking device referred to as “Sift,” which flagged simply three anomalous HTTP POST requests amongst tens of millions of each day web visitors patterns.
The marketing campaign’s stealth is outstanding – solely 30 malicious requests had been detected throughout three months regardless of compromising hundreds of gadgets.
Sift recognized the suspicious exercise utilizing superior machine studying methods, together with custom-built Massive Language Fashions (LLMs), nearest neighbor search, and unsupervised clustering to detect payloads focusing on ASUS RT-AC3100 and RT-AC3200 routers with manufacturing facility configurations.
4 IP addresses have been recognized as indicators of compromise:
101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237
Fast Motion Required
The marketing campaign represents a major safety risk because the backdoor entry can’t be eliminated via customary firmware updates.
ASUS has launched patches addressing CVE-2023-39780, however gadgets compromised previous to patching retain the malicious SSH configuration. The attackers intentionally disable logging and TrendMicro AiProtection options to keep away from detection.
Safety specialists advocate instantly checking ASUS routers for unauthorized SSH companies on TCP port 53282 and reviewing authorized_keys recordsdata for the attacker’s public key.
Organizations ought to block the recognized malicious IP addresses and carry out manufacturing facility resets on suspected compromised gadgets, adopted by full reconfiguration with sturdy authentication credentials.
The sophistication and persistence of this marketing campaign counsel potential hyperlinks to superior persistent risk (APT) teams using operational relay field (ORB) networks for long-term strategic targets.
Strive in-depth sandbox malware evaluation for your SOC crew. Get ANY.RUN particular supply solely till Might 31 -> Strive Right here
