Listen to this Post

Introduction Into a Hidden Cyber Siege
A silent global cyberattack has unfolded across six months, targeting thousands of aging ASUS WRT routers and pushing them into one of the largest router-hijacking operations in recent years. Dubbed Operation WrtHug, the campaign exploits six known vulnerabilities and quietly turns outdated consumer devices into long-term relay nodes for stealthy operations. Taiwan, Southeast Asia, Russia, Central Europe, and the United States sit at the center of this surge, while China remains noticeably untouched, fueling deeper questions about the origins and intentions behind this attack. What follows is a detailed, human-written exploration into how 50,000 routers were compromised, why it matters, and what security experts believe is coming next.
Summary of the Original
A Global Wave of Compromised ASUS Routers
Operation WrtHug has taken over nearly 50,000 ASUS WRT routers across the world, focusing on outdated or end-of-life models vulnerable to multiple command injection flaws. Security researchers have tracked the activity for half a year, noticing that most infected IP addresses are located in Taiwan, while others span Southeast Asia, Russia, Central Europe, and the United States.
A Suspicious Geographic Footprint
Interestingly, not a single infection has been observed inside China. While this asymmetry hints at the possibility of a China-based threat actor, researchers stress that the evidence is not solid enough to draw high-confidence conclusions. The absence could simply be strategy or coincidence, but in cyber operations, silence can be its own signal.
Possible Link to the AyySSHush Campaign
According to SecurityScorecard’s STRIKE researchers, Operation WrtHug may be connected to the AyySSHush campaign documented by GreyNoise in May. The overlap lies in the techniques used, particularly through shared vulnerabilities and similar router-scanning patterns that identify exploitable devices.
Six Vulnerabilities Power the Attack
The campaign leverages a collection of security issues, including CVE-2023-41345 through 41348, CVE-2023-39780, CVE-2024-12912, and the critical CVE-2025-2492. This last flaw, rated with critical severity, allows attackers to execute unauthorized functions when routers use the AiCloud service. ASUS issued warnings and updates earlier in the year advising users to patch their systems.
Hijacking Through AiCloud and Long-Life Certificates
By exploiting AiCloud, attackers replaced the default ASUS TLS certificate with their own self-signed version. This certificate lasts an astonishing 100 years, compared to the manufacturer’s usual 10-year lifespan. STRIKE researchers used this distinct certificate to identify about 50,000 compromised IPs globally.
Routers Left Vulnerable to Additional Takeovers
Much like in the AyySSHush incidents, attackers did not attempt to upgrade the firmware. This leaves compromised devices open to further hijacking by other cybercriminals. It suggests the attackers had a specific operational goal, prioritizing stealth and persistence over defensive cleanup.
Targeted ASUS Models Revealed
The operation focused on multiple models, including:
4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP.
Suspected Purpose: Stealth Relay Networks
STRIKE researchers believe the hijacked routers are being deployed as operational relay boxes, also called ORB networks. These are often used in cyber espionage operations to obscure command-and-control servers and hide attacker movements. While the report points lightly toward Chinese threat activity, it avoids specific post-compromise details.
ASUS Responds With Security Updates
ASUS has patched all the vulnerabilities exploited in WrtHug and advises all users to update immediately. Owners of unsupported models should replace their devices or disable remote access features. ASUS also patched another flaw, CVE-2025-59367, which is not yet exploited but could soon become part of similar campaigns.
What Undercode Say: Analytical Breakdown of Operation WrtHug
A Wake-Up Call for Legacy Hardware Security
Operation WrtHug highlights a recurring global problem. Millions of households and small businesses continue to rely on aging networking equipment long after vendors stop supporting it. These routers become decades-old security liabilities, turning into easy targets for systematic mass exploitation. The attack against ASUS routers is not about numbers alone. It is about how predictable and preventable the entire event was.
Why 50,000 Devices Matter More Than Their Number Suggests
Fifty thousand may sound small in the context of global internet infrastructure, but routers serve as powerful middle-points for anonymizing malicious traffic. A botnet built entirely from routers is significantly more potent than a fleet of infected PCs. Routers sit at the edge of home networks, persist online for years, and rarely receive monitoring from users. Once compromised, they become a near-perfect hiding place for hostile operations.
The Strategic Value of AiCloud Exploitation
Exploiting ASUS AiCloud is not a random choice. This service is designed to provide remote access, which inherently bypasses many local network protections. Once an attacker injects a command or replaces authentication flows, they gain persistent remote access without needing to re-exploit the device. The 100-year certificate modification adds a chilling layer: the attackers intend to maintain access for decades unless the device is replaced or patched.
The China Question: Coincidence or Calculated Omission?
The complete lack of infections in China stands out. In cybersecurity, geographic patterns often reveal silent intentions. While not definitive proof of attribution, it raises practical questions. Why does a global vulnerability incident meticulously avoid one of the world’s largest internet populations? Whether intentional or not, the pattern is too sharp to ignore.
Overlap With AyySSHush Suggests a Unified Toolkit
Both campaigns exploit similar injection flaws and share strategic behavior. This points to a toolkit or operational doctrine rather than random opportunistic attacks. The attackers appear to scan the internet continuously, waiting for unpatched ASUS routers to appear online. With every new device discovered, they recruit it without needing to modify tactics.
The Importance of Leaving Firmware Unchanged
The decision not to alter firmware is intentional. Upgrading or replacing firmware creates logs, inconsistencies, and opportunities for detection. By leaving everything intact except the certificate and necessary backdoors, attackers ensure long-term stealth. It also exposes these routers to future hijackers, which suggests the attackers are not building a rigid botnet but rather a flexible relay network.
Why Router-Based ORBs Are a Growing Threat
Operational relay boxes are becoming essential tools in modern cyber operations. They allow attackers to route traffic through innocent households, turning normal internet activity into a camouflage layer. Such ORBs complicate investigations because the malicious trail leads only to residential users, not to the actual orchestrators. WrtHug’s scale suggests a structured intelligence-style operation rather than simple criminal profit-seeking.
The Passive Nature of the Attack Reveals Intent
There is no ransomware, no data theft, and no destructive payloads observed. This is pure infrastructure building. The attackers are quietly constructing a network of anonymizing nodes, possibly for later campaigns. The sophistication lies not in complexity but in discipline.
ASUS’s Timely Response Shows Security Maturity
ASUS addressed the vulnerabilities before this campaign came to light, highlighting the importance of following vendor advisories. Engineers acted fast, but users often lag behind. Router security relies on manual firmware updating, a process many owners never initiate. This gap leaves millions vulnerable even when patches exist.
The Future Risk: CVE-2025-59367
The newly patched authentication bypass flaw could be the next tool in the threat actor’s arsenal. Attackers often migrate toward fresh vulnerabilities once previous ones receive attention. Expect scanning activity around unsupported ASUS models to rise over the coming months, especially targeting devices that cannot receive new patches.
Cyber Hygiene Lessons for Every Household
The attack underscores a harsh truth. Most people treat routers as permanent appliances rather than computers requiring maintenance. Without firmware updates or device replacements, these dormant vulnerabilities become ticking bombs. The most effective defense against such campaigns is simple: upgrade, replace, and disable unnecessary remote access features.
🔍 Fact Checker Results
CVE details, exploitation patterns, and affected models are accurate based on publicly documented reports. ✅
The presence of a 100-year TLS certificate is confirmed and used to trace infected devices. ✅
Attribution to Chinese threat actors remains speculative with insufficient evidence. ❌
📊 Prediction
Attackers will likely expand their target list to include additional unsupported ASUS devices. 🔮
The relay network built through WrtHug may surface in future state-aligned cyber campaigns. 🌐
New vulnerabilities such as CVE-2025-59367 could trigger a second wave of mass router compromises. ⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




