Listen to this Post
A Silent Cyberstorm Is Brewing in Your Home Network
A sophisticated and highly covert cyberattack has compromised over 9,000 ASUS routers, and potentially many more from brands like Cisco, D-Link, and Linksys. The culprit? A stealthy botnet campaign called AyySSHush, discovered by GreyNoise security researchers in March 2025. This campaign raises serious alarms in the cybersecurity world due to its silent, malware-free infiltration methods and its use of legitimate router features to maintain persistence.
What Happened in the AyySSHush Router Takeover
In mid-March 2025, GreyNoise uncovered a quiet yet widespread attack campaign against ASUS routers. The infected models include popular ones like the RT-AC3100, RT-AC3200, and RT-AX55. The attackers utilize a multi-pronged strategy: brute-forcing credentials, exploiting outdated vulnerabilities, and bypassing authentication mechanisms.
The key flaw exploited is CVE-2023-39780, a known command injection vulnerability. Once exploited, attackers add their own SSH public key and enable the SSH daemon on a non-standard port: TCP 53282. Crucially, this backdoor survives firmware updates, making it exceptionally persistent. The attackers cleverly use ASUS’s own configuration systems, making their modifications look like legitimate settings.
What makes AyySSHush so dangerous is that no malware is involved. Instead, attackers disable logging and Trend Micro’s AiProtection on the devices to remain undetected. Only 30 malicious requests were detected by GreyNoise over three months, yet over 9,000 routers have been compromised.
The campaign likely overlaps with another operation dubbed “Vicious Trap” by French firm Sekoia. That effort used an older vulnerability, CVE-2021-32030, to breach not just ASUS routers but also SOHO routers, SSL VPNs, DVRs, and even BMC controllers from several other manufacturers.
Interestingly, there’s no current evidence that the compromised routers are being used for Distributed Denial of Service (DDoS) attacks or as proxies. But this quiet setup suggests that threat actors might be laying the groundwork for a powerful botnet.
ASUS has released firmware updates to fix CVE-2023-39780, and users are strongly advised to upgrade their routers immediately. It’s also recommended to check for unauthorized SSH keys in the ‘authorized_keys’ file and to block the following suspicious IP addresses:
101.99.91[.]151
101.99.94[.]173
79.141.163[.]179
111.90.146[.]237
If you suspect your router was compromised, a full factory reset followed by a secure reconfiguration is the safest path forward.
What Undercode Say:
The AyySSHush campaign is a perfect case study in modern cyberthreat sophistication. Unlike flashy ransomware attacks or noisy DDoS campaigns, this operation embraces stealth and persistence as its weapons of choice. Here’s why it stands out:
No malware involved: This makes detection almost impossible through traditional antivirus or endpoint security systems. The attackers simply manipulate router settings using legitimate interfaces.
Persistence across firmware updates: By adding their SSH key through official ASUS features, the attackers guarantee long-term access. Even responsible users who regularly update firmware are not safe unless they check for unauthorized SSH keys.
Strategic silence: Only 30 malicious requests were logged, which shows how surgical and selective the attackers are. Instead of casting a wide net, they’re silently infecting high-value or high-access points.
Multi-vendor targeting: Though ASUS is in the spotlight, routers from Cisco, D-Link, Linksys, and even storage devices and DVRs have been targeted. The goal seems to be building a diverse, distributed infrastructure—most likely for a botnet.
No clear purpose—yet: The absence of DDoS traffic or obvious data theft hints that this campaign is phase one. The attackers are laying the infrastructure for something bigger—maybe coordinated attacks, espionage, or mass data harvesting.
Resemblance to nation-state tactics: While no actor has been officially named, the operational style suggests a well-funded, patient, and methodical entity. The use of rarely exploited CVEs and precise targeting implies military-grade expertise.
Dependence on poor user habits: Many routers remain unpatched for months. This creates an enormous attack surface. The fact that the SSH key survives updates but can be removed by a factory reset further indicates that users must take more responsibility for securing their home and office networks.
Lack of media attention: Despite its severity, this breach hasn’t gained mainstream coverage. That in itself is concerning—it reflects how underappreciated router security is in public discourse.
The bottom line is simple: this is a critical red flag for both casual users and cybersecurity professionals. It shows how vulnerabilities in consumer-grade tech can be leveraged for high-level cyberwarfare preparation.
Fact Checker Results ✅
The campaign is confirmed to be active as of March 2025
Over 9,000 ASUS routers are verified to be compromised
CVE-2023-39780 is officially documented as the exploited flaw
🛡️🔍📡
Prediction 🔮
As the groundwork for the AyySSHush botnet expands, we expect to see phase two of this campaign roll out within months. Likely outcomes include coordinated DDoS attacks, targeted surveillance of internet traffic, or leveraging the network for proxy-based cyber operations. Expect broader disclosures, possible attribution to a nation-state, and tighter scrutiny of router firmware security by mid-2025.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
