A Chinese state-sponsored threat actor is responsible for compromising tens of thousands of older Asus routers worldwide, creating a persistent network in support of global espionage campaigns. This operation, named WrtHug by SecurityScorecard, exploits known vulnerabilities within the routers’ AiCloud service, which permits users to access local storage over the internet. The hackers leveraged several high-severity command injection bugs, including CVE-2023-41345 through CVE-2023-41348, and CVE-2023-39780, which all stem from insufficient filtering of special characters. The attackers also utilized a high-severity command execution flaw, CVE-2024-12912, and a critical-severity improper authentication control flaw, CVE-2025-2492, to successfully gain control over the devices.
Once compromised, each device becomes part of a large, global network of infected routers. SecurityScorecard’s STRIKE team has identified over 50,000 unique IP addresses associated with these compromised devices within a six-month period. An indicator of compromise is a shared, self-signed TLS certificate installed on all the infected routers, which possesses a very long 100-year expiration period starting from April 2022. While a substantial portion of the compromised devices, ranging from 30% to 50%, are located in Taiwan, the cybersecurity firm has also observed significant clusters in the United States, Russia, Southeast Asia, and Europe, indicating the far-reaching nature of this espionage infrastructure.
This campaign is part of a larger trend, being the second China-linked Operational Relay Box (ORB) operation uncovered this year that targets internet-accessible Asus routers, following the earlier AyySSHush network. SecurityScorecard suggests that this activity is indicative of Chinese-linked hackers quietly building massive networks of infected devices to establish a persistent and concealed presence. All of the exploited vulnerabilities have been patched, and they primarily affect outdated and discontinued models, such as the 4G-AC55U, DSL-AC68U, GT-AC5300, and several others, which are likely no longer receiving official security updates.
SecurityScorecard identified only seven IP addresses compromised in both the WrtHug and AyySSHush attacks. This overlap leads them to consider two possibilities: the operations could be a single, evolving campaign, or the same threat actor may be responsible for both. An alternative scenario is that two different groups are operating them but are coordinating their activities. However, the company currently lacks substantial evidence beyond the shared vulnerability to definitively support these speculations, and until further proof emerges, they are continuing to track Operation WrtHug as a distinct campaign.
To mitigate the risk posed by this espionage infrastructure, users are strongly advised to take immediate action. This includes applying patches for the exploited vulnerabilities to their existing devices as soon as possible, if available. Given that many of the targeted models are discontinued, the most effective recommendation is to replace older Asus router devices with newer, currently supported models that receive regular security updates from the manufacturer.
Reference:
