Tens of thousands more ASUS routers pwned by suspected, evolving China operation
Summary
SecurityScorecard’s STRIKE team reports that around 50,000 ASUS WRT routers — mainly end-of-life models — have been compromised in a campaign dubbed “Operation WrtHug.” The attackers exploit multiple known vulnerabilities (some stretching back to 2023) to install an ORB-style foothold designed for stealthy espionage rather than noisy botnet activity.
The intrusions are concentrated in Taiwan and Southeast Asia, with very limited impact in mainland China, Russia or the US. STRIKE notes overlaps with earlier AyySSHush/ORB activity but found only seven devices common to both campaigns, so it treats WrtHug as either an evolving single operation or a coordinated effort from the same actor or group.
Key Points
- Approximately 50,000 ASUS WRT routers have been confirmed compromised in Operation WrtHug.
- Targets are primarily end-of-life ASUS WRT devices concentrated in Taiwan and Southeast Asia.
- Attackers exploit six known CVEs, including four 2023 command-injection flaws (CVE-2023-41345/46/47/48), CVE-2024-12912 and the critical CVE-2025-2492.
- The campaign shows tactical similarity to prior AyySSHush/ORB activity; attribution is assessed as low-to-moderate confidence for a China-affiliated actor.
- ORBs (operational relay boxes) favour stealthy espionage — concealing traffic for data theft — unlike louder botnets used for DDoS.
- Distinct indicator: a self-signed AiCloud TLS certificate with an unusual 100-year expiry (issued April 2022) appears on compromised devices.
- Mitigation advice: patch affected routers where updates exist or replace them with supported models that receive security updates.
Context and Relevance
This incident underscores the persistent risk posed by end-of-life networking kit: outdated firmware creates a wide attack surface that sophisticated adversaries can exploit for long-term espionage. The geographic focus and TTP (tactics, techniques and procedures) alignment with previous ORB campaigns increase concerns about targeted surveillance in the Indo-Pacific region.
For organisations and home users alike, the story is a reminder that consumer routers can be weaponised as clandestine access points. The low-volume, stealthy nature of ORB campaigns makes detection harder, elevating the value of simple hygiene measures — patching, upgrading hardware and monitoring unusual certificates or network traffic.
Why should I read this?
If you own an ASUS WRT router (especially an older, unsupported model) — this is one to act on. It’s not just noise: thousands of devices are being quietly hijacked for espionage-style activity. Read this so you know what to look for and what to do — patch, upgrade, or swap the kit. Saves you the panic later.
Author
Punchy note: This isn’t a run-of-the-mill botnet story. The scale, stealth indicators (that bizarre 100-year cert) and regional focus make it a high-priority security alert. If you manage networks in the region or run legacy consumer kit, treat it as urgent.