New WrtHug marketing campaign hijacks hundreds of end-of-life ASUS routers

Hundreds of ASUS WRT routers, largely end-of-life or outdated units, have been hijacked in a worldwide marketing campaign referred to as Operation WrtHug that exploits six vulnerabilities.

Over the previous six months, scanners searching for ASUS units compromised in Operation WrtHug recognized “roughly 50,000 distinctive IPs” across the globe.

A lot of the compromised units have IP addresses positioned in Taiwan, whereas others are distributed throughout Southeast Asia, Russia, Central Europe, and america.

Notably, there aren’t any noticed infections inside China, which can point out a menace actor from this nation, however researchers discovered inadequate proof for high-confidence attribution.

In accordance with SecurityScorecard’s STRIKE researchers, primarily based on focusing on and assault strategies, there could also be a connection between Operation WrtHug and AyySSHush marketing campaign, first documented by GreyNoise in Could.

WrtHug assaults

The assaults start with the exploitation of command injection flaws and different identified vulnerabilities in ASUS WRT routers, largely AC-series and AX-series units.

In accordance with STRIKE researchers, the WrtHug marketing campaign might leverage the next security points in assaults:

• CVE-2023-41345/46/47/48 – OS command injection through token modules
• CVE-2023-39780 – main command injection flaw (additionally used within the AyySSHush marketing campaign)
• CVE-2024-12912 – arbitrary command execution
• CVE-2025-2492 – improper authentication management that may result in unauthorized execution of features

Of the vulnerabilities above, CVE-2025-2492 stands out as the one one with a crucial severity rating. A security advisory from ASUS in April warned in regards to the severity of the flaw and that it might be triggered by a crafted request on routers which have the AiCloud function enabled.

In a report right now, SecurityScorecard says that “attackers seemingly leveraged the ASUS AiCloud service on this case to deploy a focused international intrusion set.”

An indicator of compromise for this marketing campaign is the presence of a self-signed TLS certificates in AiCloud providers that changed the usual one generated by ASUS in 99% of the breached units. The brand new certificates captured consideration as a result of it has a lifetime of 100 years, in comparison with the unique, which is legitimate for less than 10 years.

STRIKE researchers used this distinctive certificates to establish 50,000 contaminated IPs.

Like within the AyySSHush marketing campaign, the attackers don’t improve the firmware of the compromised system, leaving it open to takeover by different menace actors.

Based mostly on indicators of compromise, the researchers recognized the next ASUS units being focused by Operation WrtHug:

• ASUS Wi-fi Router 4G-AC55U
• ASUS Wi-fi Router 4G-AC860U
• ASUS Wi-fi Router DSL-AC68U
• ASUS Wi-fi Router GT-AC5300
• ASUS Wi-fi Router GT-AX11000
• ASUS Wi-fi Router RT-AC1200HP
• ASUS Wi-fi Router RT-AC1300GPLUS
• ASUS Wi-fi Router RT-AC1300UHP

STRIKE believes that the compromised routers could also be used as operational relay field (ORB) networks in Chinese language hacking operations as stealth relay nodes, proxying, and hiding command-and-control infrastructure. Nonetheless, the report doesn’t delve into post-compromise operations and lacks particular particulars.

ASUS has issued security updates that handle all the vulnerabilities leveraged within the WrtHug assaults, so router house owners ought to improve their firmware to the newest out there model.

If the system is not underneath assist, customers are really useful to exchange it or at the very least disable distant entry options.

ASUS just lately additionally mounted CVE-2025-59367, an authentication bypass flaw impacting a number of AC-series fashions, which, whereas not exploited but, might be added to the attackers’ arsenal quickly.