China-Linked Operation “WrtHug” Hijacks Thousands of ASUS Routers
Summary:
Operation WrtHug is a large-scale, ongoing compromise of ASUS WRT routers, uncovered by SecurityScorecard’s STRIKE team. The campaign affects thousands of devices globally, with the heaviest concentration in Taiwan, followed by Southeast Asia, Russia, central Europe, and the United States. Attackers exclusively target end-of-life or outdated ASUS routers, exploiting six known vulnerabilities (CVE-2023-41345/41346/41347/41348, CVE-2024-12912, CVE-2025-2492). The intrusion is identifiable by a unique self-signed TLS certificate, shared across all compromised devices, with an extremely unusual 100-year expiration, strongly suggesting centralized deployment. The attackers primarily abuse the AiCloud remote-access service, leveraging OS command-injection flaws to obtain high privileges.
The targeting pattern, exploitation of CVE-2023-39780–linked vulnerabilities, and geographic focus closely resemble previous China-nexus ORB (Operational Relay Box) campaigns, particularly AyySSHush. While attribution remains unconfirmed, STRIKE assesses the campaign likely aligns with China-affiliated infrastructure-building operations that repurpose SOHO devices for espionage support.
Security Officer Comments:
Operation WrtHug reflects a continuation of a broader strategic shift toward mass exploitation of consumer and SOHO routers as persistent, low-visibility infrastructure for espionage and operational relay. The use of a shared, 100-year TLS certificate suggests deliberate attempts to standardize and easily track or manage compromised nodes, behavior consistent with ORB-style asset management seen in earlier China-nexus operations. The strong geographic bias toward Taiwan reinforces the likelihood of a state-aligned objective rather than opportunistic botnet behavior. The overlap in exploited vulnerabilities with AyySSHush, along with the absence of post-exploitation hardening, implies either coordinated actors or parallel campaigns drawing from shared tooling.
Suggested Corrections:
https://www.infosecurity-magazine.com/news/chinal-operation-wrthug-thousands/
Operation WrtHug is a large-scale, ongoing compromise of ASUS WRT routers, uncovered by SecurityScorecard’s STRIKE team. The campaign affects thousands of devices globally, with the heaviest concentration in Taiwan, followed by Southeast Asia, Russia, central Europe, and the United States. Attackers exclusively target end-of-life or outdated ASUS routers, exploiting six known vulnerabilities (CVE-2023-41345/41346/41347/41348, CVE-2024-12912, CVE-2025-2492). The intrusion is identifiable by a unique self-signed TLS certificate, shared across all compromised devices, with an extremely unusual 100-year expiration, strongly suggesting centralized deployment. The attackers primarily abuse the AiCloud remote-access service, leveraging OS command-injection flaws to obtain high privileges.
The targeting pattern, exploitation of CVE-2023-39780–linked vulnerabilities, and geographic focus closely resemble previous China-nexus ORB (Operational Relay Box) campaigns, particularly AyySSHush. While attribution remains unconfirmed, STRIKE assesses the campaign likely aligns with China-affiliated infrastructure-building operations that repurpose SOHO devices for espionage support.
Security Officer Comments:
Operation WrtHug reflects a continuation of a broader strategic shift toward mass exploitation of consumer and SOHO routers as persistent, low-visibility infrastructure for espionage and operational relay. The use of a shared, 100-year TLS certificate suggests deliberate attempts to standardize and easily track or manage compromised nodes, behavior consistent with ORB-style asset management seen in earlier China-nexus operations. The strong geographic bias toward Taiwan reinforces the likelihood of a state-aligned objective rather than opportunistic botnet behavior. The overlap in exploited vulnerabilities with AyySSHush, along with the absence of post-exploitation hardening, implies either coordinated actors or parallel campaigns drawing from shared tooling.
Suggested Corrections:
- Replace or retire all EoL ASUS WRT routers. These devices cannot be secured and are the primary targets.
- Apply the latest ASUS firmware on supported models; all WrtHug CVEs have official patches.
- Disable AiCloud and remote administration unless absolutely required.
- Block WAN access to router management interfaces; restrict SSH/HTTPS to internal networks only.
- Monitor for the WrtHug TLS certificate
- Watch for unusual certificate/key changes on ASUS devices as early compromise indicators.
- Segment SOHO/IoT devices onto their own network to limit lateral movement.
- Reset and re-image compromised devices, then replace if patches cannot be applied.
https://www.infosecurity-magazine.com/news/chinal-operation-wrthug-thousands/