Your home router, the device connecting you to the internet, may have been silently compromised as part of a coordinated global espionage campaign. SecurityScorecard’s STRIKE team has uncovered Operation WrtHug.
This massive hacking operation has infiltrated thousands of ASUS routers worldwide, establishing what appears to be a state-sponsored infrastructure for persistent network access and deep surveillance capabilities.
In collaboration with ASUS’s product security expertise, researchers identified a meticulously planned operation targeting ASUS WRT routers through publicly known security vulnerabilities.
This discovery represents a critical wake-up call for both home users and enterprise security professionals, revealing yet another disturbing trend in sophisticated state-sponsored cyber-espionage operations.
WrtHug operators leverage what security researchers call “Nth day vulnerabilities” publicly disclosed security vulnerabilities that remain unpatched on legacy and end-of-life devices.
The attackers exploited at least six known vulnerabilities for initial access, with OS command injection vulnerabilities serving as primary attack vectors.
The campaign primarily leverages CVE-2023-39780 (CVSS 8.8), a critical vulnerability grouped with CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348.
Additionally, attackers deployed CVE-2024-12912 (arbitrary command execution, CVSS 7.2) and CVE-2025-2492 (improper authentication, CVSS 9.2) to establish persistent access.
The threat actors specifically targeted ASUS routers AiCloud service a proprietary cloud storage and remote access solution as their primary entry point.
Once compromised, routers become part of an invisible global botnet infrastructure that remains hidden from detection.
Global Network of Compromised Infrastructure
SecurityScorecard’s research identified over 50,000 unique IP addresses belonging to compromised devices over the last six months alone.
The geographical distribution of infected routers is particularly revealing, with 30-50% concentrated in Taiwan, alongside significant clusters in the United States, Russia, Southeast Asia, and Europe.
A unique digital fingerprint has emerged across all infected devices: a self-signed TLS certificate bearing an unusually long 100-year expiration period.
This distinctive indicator serves as a critical detection tool for security teams hunting for compromised infrastructure.
SecurityScorecard’s STRIKE team assesses with low-to-moderate confidence that Operation WrtHug represents an Operational Relay Box (ORB) facilitation campaign conducted by China-affiliated threat actors.
ORB operations are sophisticated intrusion campaigns designed to expand state-sponsored espionage infrastructure globally while maintaining operational secrecy.
The campaign’s targeting patterns and methodologies mirror previous suspected China-nexus operations, including AyySSHush another ORB campaign exploiting identical vulnerabilities on the same device classes.
The remarkably low number of devices showing dual-compromise suggests potential coordination between these operations, indicating a strategic, organized effort rather than opportunistic exploitation.
This operation underscores the escalating threat posed by unpatched legacy devices. Organizations cannot ignore end-of-life products; they require continuous monitoring and isolation.
Security professionals should implement network segmentation, monitor for the distinctive 100-year TLS certificate, and prioritize patching all ASUS devices across their environments.
The sophistication demonstrated by WrtHug moving beyond simple brute-force attacks to multi-stage exploitation chains reflects the evolving capabilities of state-sponsored actors.
Comprehensive network visibility and proactive threat hunting are no longer optional; they’re essential operational requirements in the age of advanced persistent espionage.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.