Operation WrtHug hijacks 50,000+ ASUS routers to Bìbuild global botnet
November 19, 2025
Operation WrtHug hijacks tens of thousands of outdated ASUS routers worldwide, mainly in Taiwan, the U.S., and Russia, forming a large botnet.
A new campaign called Operation WrtHug has compromised tens of thousands of outdated or end-of-life ASUS routers worldwide, mainly in Taiwan, the U.S., and Russia, pulling them into a large malicious network. SecurityScorecard researchers also warn of infections appearing across Southeast Asia and Europe.
The attackers likely exploited six known flaws in end-of-life ASUS WRT routers to take over them. All compromised devices share a long-lived self-signed TLS certificate valid for 100 years from April 2022. SecurityScorecard says 99% of systems using it run ASUS AiCloud.
“WrtHug is a widespread operation that appears to exclusively target ASUS WRT routers. The attackers exploit “Nth day vulnerabilities,” which are security flaws that have been publicly known for some time, to gain high-level privileges on the devices. The campaign mainly affects End-of-Life (EoL) devices.” reads the report published by SecurityScorecard.
Threat actors exploited multiple ASUS router vulnerabilities, including OS command injection (CVE-2023-41345 to CVE-2023-41348), arbitrary command execution (CVE-2024-12912), and improper authentication (CVE-2025-2492), targeting the AiCloud service for initial access.
Threat actors have infected ASUS routers worldwide, forming a botnet of over 50,000 devices.
Experts attribute the campaign to China-linked actors who aims to build a persistent, hidden network for espionage. They speculate on possible coordination with similar campaigns like the botnet AyySSHush.
In May, GreyNoise researchers discovered taìhat the AyySSHush botnet had hacked over 9,000 ASUS routers, adding a persistent SSH backdoor.
“This report is a clear case study on evolving attacker methods. Using a service that harbors Nth Day vulnerabilities as an attack vector highlights the risks associated with EoL devices and legacy software. Tracking the unique TLS certificate in this case can serve security teams looking to protect against this operation.” concludes the report. “The report’s findings underscore the critical need for constant vigilance and proactive monitoring. It is not enough to simply apply patches to active products. Security teams must consider the security of the entire network, including aging devices and services, in order to counter sophisticated, state-sponsored intrusion campaigns.”
ASUS has already addressed all the vulnerabilities targeted in Operation WrtHug.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, ASUS)