New Wrthug Campaign Hijacks Thousands Of End-of-life Asus Routers

Thousands of ASUS WRT routers, mostly end-of-life or outdated devices, have been hijacked in a global campaign called Operation WrtHug that exploits six vulnerabilities.

Over the past six months, scanners looking for ASUS devices compromised in Operation WrtHug identified "roughly 50,000 unique IPs" around the globe.

Most of the compromised devices have IP addresses located in Taiwan, while others are distributed across Southeast Asia, Russia, Central Europe, and the United States.

Notably, there are no observed infections within China, which may indicate a threat actor from this country, but researchers found insufficient evidence for high-confidence attribution.

According to SecurityScorecard’s STRIKE researchers, based on targeting and attack methods, there may be a connection between Operation WrtHug and AyySSHush campaign, first documented by GreyNoise in May.

The attacks begin with the exploitation of command injection flaws and other known vulnerabilities in ASUS WRT routers, mostly AC-series and AX-series devices.

According to STRIKE researchers, the WrtHug campaign may leverage the following security issues in attacks:

Of the vulnerabilities above, CVE-2025-2492 stands out as the only one with a critical severity score. A security advisory from ASUS in April warned about the severity of the flaw and that it could be triggered by a crafted request on routers that have the AiCloud feature enabled.

In a report today, SecurityScorecard says that "attackers seemingly leveraged the ASUS AiCloud service in this case to deploy a targeted global intrusion set."

An indicator of compromise for this campaign is the presence of a self-signed TLS certificate in AiCloud services that replaced the standard one generated by ASUS in 99% of the breached devices. The new certificate captured attention because it has a lifetime of 100 years, compared to the original, which is valid for only 10 years.