A classy cyber marketing campaign referred to as Operation WrtHug has hijacked tens of 1000’s of ASUS WRT routers globally, turning them into potential espionage instruments for suspected China-linked hackers.
SecurityScorecard’s STRIKE staff, in collaboration with ASUS, revealed the operation on November 18, 2025, highlighting how attackers exploited outdated firmware to construct a stealthy community infrastructure.
This breach underscores the rising menace to end-of-life client units, with infections concentrated in Taiwan and spreading to the U.S., Russia, and Southeast Asia.
Researchers first detected Operation WrtHug by way of a suspicious self-signed TLS certificates shared throughout compromised units, that includes an unusually lengthy 100-year expiration date from April 2022.
maliciosu SSL Certificates
This certificates, with SHA1 thumbprint 1894a6800dff523894eba7f31cea8d05d51032b4, appeared on 99% of affected ASUS AiCloud providers, a characteristic meant for distant dwelling community entry however now exploited as an entry level.
Router Login
The marketing campaign targets completely ASUS WRT fashions, a lot of that are end-of-life and unpatched, permitting attackers to inject instructions and acquire root privileges with out altering the gadget’s outward look.
The operation’s scale is alarming, with estimates of fifty,000 distinctive IP addresses concerned over the previous six months, based mostly on proprietary scans and instruments like Driftnet.
Heatmap
In contrast to random botnets, WrtHug exhibits a deliberate geographic focus, infecting 30-50% of units in Taiwan, a sample that aligns with geopolitical tensions. Smaller clusters hit South Korea, Japan, Hong Kong, central Europe, and the U.S., however mainland China stays largely untouched, other than Hong Kong.
Exploited Vulnerabilities
Attackers chained six identified flaws in ASUS firmware to propagate the malware, specializing in N-day exploits in AiCloud and OS injection vectors, SecurityScorecard mentioned to CybersecurityNews.
These vulnerabilities, all patched by ASUS, primarily have an effect on outdated routers working lighttpd or Apache internet servers.
The desk under particulars the important thing CVEs, their impacts, and stipulations:
CVE IDAffected ProductsImpactExploit PrerequisitesCVSS ScoreCVE-2023-41345ASUS WRT routersOS command injectionAuthenticated entry, token module flaw8.8CVE-2023-41346ASUS WRT routersOS command injectionAuthenticated entry, token module flaw8.8CVE-2023-41347ASUS WRT routersOS command injectionAuthenticated entry, token module flaw8.8CVE-2023-41348ASUS WRT routersOS command injectionAuthenticated entry, token module flaw8.8CVE-2024-12912ASUS WRT routersArbitrary command executionRemote entry by way of AiCloud7.2CVE-2025-2492ASUS WRT routersUnauthorized operate executionImproper authentication control9.2
These flaws hyperlink to CVE-2023-39780, a command injection bug tied to the sooner AyySSHush marketing campaign, suggesting potential actor overlap. Seven IPs present twin compromise, hinting at coordinated efforts.
STRIKE assesses low-to-moderate confidence that China Nexus actors drive WrtHug, mirroring ways in ORBs like LapDogs and PolarEdge. The concentrate on Taiwan and router persistence by way of SSH backdoors factors to espionage infrastructure constructing.
This suits a development of state-sponsored router hijacks, evolving from brute-force to multi-stage infections.
Focused fashions embody RT-AC1200HP, GT-AC5300, and DSL-AC68U, usually in properties or small workplaces. Whereas post-exploitation particulars stay unclear, the setup allows proxying C2 visitors and knowledge exfiltration.
Indicators of Compromise
Monitoring for these IOCs may also help detect infections:
Indicator TypeValueDetailsSHA-11894a6800dff523894eba7f31cea8d05d51032b4WrtHug TLS certificates thumbprintIPv446[.]132.187.85Dual-compromised (WrtHug/AyySSHush)IPv446[.]132.187.24Dual-compromised (WrtHug/AyySSHush)IPv4221[.]43.126.86Dual-compromised (WrtHug/AyySSHush)IPv4122[.]100.210.209Dual-compromised (WrtHug/AyySSHush)
Extra IPs: 59.26.66[.]44, 83.188.236[.]86, 195.234.71[.]218
ASUS urges firmware updates and disabling unused options like AiCloud on supported units. For EoL fashions, alternative is beneficial, alongside community segmentation and TLS certificates monitoring.
Organizations ought to scan for the IOC certificates and apply CISA’s identified exploited catalog patches.
As router assaults escalate in 2025, this incident highlights the necessity for vigilant SOHO safety to thwart nation-state probing. SecurityScorecard requires trade collaboration to counter such calculated threats.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
