A sophisticated cyber campaign known as Operation WrtHug has hijacked tens of thousands of ASUS WRT routers globally, turning them into potential espionage tools for suspected China-linked hackers.
SecurityScorecard’s STRIKE team, in collaboration with ASUS, revealed the operation on November 18, 2025, highlighting how attackers exploited outdated firmware to build a stealthy network infrastructure.
This breach underscores the rising threat to end-of-life consumer devices, with infections concentrated in Taiwan and spreading to the U.S., Russia, and Southeast Asia.
Researchers first detected Operation WrtHug through a suspicious self-signed TLS certificate shared across compromised devices, featuring an unusually long 100-year expiration date from April 2022.
This certificate, with SHA1 thumbprint 1894a6800dff523894eba7f31cea8d05d51032b4, appeared on 99% of affected ASUS AiCloud services, a feature meant for remote home network access but now exploited as an entry point.
The campaign targets exclusively ASUS WRT models, many of which are end-of-life and unpatched, allowing attackers to inject commands and gain root privileges without altering the device’s outward appearance.
The operation’s scale is alarming, with estimates of 50,000 unique IP addresses involved over the past six months, based on proprietary scans and tools like Driftnet.
Unlike random botnets, WrtHug shows a deliberate geographic focus, infecting 30-50% of devices in Taiwan, a pattern that aligns with geopolitical tensions. Smaller clusters hit South Korea, Japan, Hong Kong, central Europe, and the U.S., but mainland China remains largely untouched, aside from Hong Kong.
Attackers chained six known flaws in ASUS firmware to propagate the malware, focusing on N-day exploits in AiCloud and OS injection vectors, SecurityScorecard said to CybersecurityNews.
These vulnerabilities, all patched by ASUS, primarily affect outdated routers running lighttpd or Apache web servers.
The table below details the key CVEs, their impacts, and prerequisites:
| CVE ID | Affected Products | Impact | Exploit Prerequisites | CVSS Score |
|---|---|---|---|---|
| CVE-2023-41345 | ASUS WRT routers | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2023-41346 | ASUS WRT routers | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2023-41347 | ASUS WRT routers | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2023-41348 | ASUS WRT routers | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2024-12912 | ASUS WRT routers | Arbitrary command execution | Remote access via AiCloud | 7.2 |
| CVE-2025-2492 | ASUS WRT routers | Unauthorized function execution | Improper authentication control | 9.2 |
These flaws link to CVE-2023-39780, a command injection bug tied to the earlier AyySSHush campaign, suggesting possible actor overlap. Seven IPs show dual compromise, hinting at coordinated efforts.
STRIKE assesses low-to-moderate confidence that China Nexus actors drive WrtHug, mirroring tactics in ORBs like LapDogs and PolarEdge. The focus on Taiwan and router persistence via SSH backdoors points to espionage infrastructure building.
This fits a trend of state-sponsored router hijacks, evolving from brute-force to multi-stage infections.
Targeted models include RT-AC1200HP, GT-AC5300, and DSL-AC68U, often in homes or small offices. While post-exploitation details remain unclear, the setup enables proxying C2 traffic and data exfiltration.
Monitoring for these IOCs can help detect infections:
| Indicator Type | Value | Details |
|---|---|---|
| SHA-1 | 1894a6800dff523894eba7f31cea8d05d51032b4 | WrtHug TLS certificate thumbprint |
| IPv4 | 46[.]132.187.85 | Dual-compromised (WrtHug/AyySSHush) |
| IPv4 | 46[.]132.187.24 | Dual-compromised (WrtHug/AyySSHush) |
| IPv4 | 221[.]43.126.86 | Dual-compromised (WrtHug/AyySSHush) |
| IPv4 | 122[.]100.210.209 | Dual-compromised (WrtHug/AyySSHush) |
Additional IPs: 59.26.66[.]44, 83.188.236[.]86, 195.234.71[.]218
ASUS urges firmware updates and disabling unused features like AiCloud on supported devices. For EoL models, replacement is recommended, alongside network segmentation and TLS certificate monitoring.
Organizations should scan for the IOC certificate and apply CISA’s known exploited catalog patches.
As router attacks escalate in 2025, this incident highlights the need for vigilant SOHO security to thwart nation-state probing. SecurityScorecard calls for industry collaboration to counter such calculated threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…
OpenAI has launched GPT-5.1-Codex-Max, a specialized coding model designed to handle complex development tasks autonomously. The…
The U.S. Department of the Treasury, Australia, and the United Kingdom have announced coordinated sanctions…
Salesforce has issued a critical security alert identifying "unusual activity" involving Gainsight-published applications connected to…
The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging…
A critical remote code execution flaw in Microsoft's Windows Graphics Component allows attackers to seize…