WrtHug Hijacks EoL ASUS Routers at Scale — What Network Owners Need to Know

SecurityScorecard’s STRIKE team has uncovered Operation WrtHug, a large‑scale campaign that has seized tens of thousands of end‑of‑life ASUS WRT routers worldwide by chaining several known vulnerabilities in the vendor’s AiCloud management surface. The infections—most concentrated in Taiwan, the U.S., and Russia—give attackers persistent admin control over routers, turning them into a global infrastructure for further abuse: proxying, credential harvesting, lateral access, DDoS, or inclusion in larger botnet ecosystems.

Why this matters

• Router compromises are stealthy and high‑impact: attackers control the network edge, enabling traffic interception, persistence across reboots, and injection of malicious configuration.
• Scale and geographic spread increase collateral risk: tens of thousands of devices mean widespread opportunity for abuse—abuse that can affect consumers, branch offices, and small enterprise sites.
• EoL devices lack vendor support: these routers do not receive regular security updates, so known vulnerabilities remain exploitable indefinitely unless operators act.

Technical summary of the campaign

• Attack vector: The campaign leverages a chain of documented WRT vulnerabilities (including CVE‑2023‑41345, CVE‑2023‑41346, CVE‑2023‑41347, CVE‑2023‑41348, CVE‑2024‑12912, CVE‑2025‑2492 and others) against the AiCloud service, using path traversal, command injection, and authentication bypass techniques to escalate privileges.
• Persistence mechanism: Infected devices present a shared self‑signed TLS certificate (valid 100 years from April 2022), and actors create persistent SSH backdoors and configuration changes that survive reboots.
• Operational behavior: The threat actor deploys admin accounts, modifies device configs, and likely uses compromised routers as proxy nodes or staging for other campaigns; overlap with other ORB-like activity (e.g., AyySSHush) was observed on a small set of shared IPs.
• Target list: The campaign hits a broad set of ASUS WRT models, notably many older consumer and small‑business devices (GT‑AX11000, GT‑AC5300, RT‑AC1200HP, DSL‑AC68U, 4G‑AC55U/860U, etc.).

Immediate actions (0–48 hours)

1. Inventory and prioritize
   • Identify all ASUS WRT devices on your networks, including branch/remote units and embedded home gateways used by staff. Record model and firmware version.
2. Isolate exposed devices
   • Block or restrict management access to routers from the internet. Move web/SSH management ports behind VPN/bastion hosts and restrict admin access to trusted IPs.
3. Patch or replace where possible
   • If a vendor patch exists for your model, apply it immediately. For EoL models with no vendor fixes, plan replacement with supported hardware as a priority.
4. Rotate credentials and keys
   • Reset device admin passwords, revoke any suspected SSH keys, and reissue certificates from a trusted CA if device controls allow.
5. Hunt for indicators of compromise
   • Search network logs for the shared self‑signed certificate, unusual inbound SSH sessions, unexpected DNS modifications, new admin accounts, or outbound proxied traffic patterns.

Detection and hunting guidance

• Network indicators
  • Services presenting the long‑lived self‑signed ASUS AiCloud certificate; unusual inbound TCP connections to router management ports; high volumes of proxied outbound connections from home/branch IPs.
• Host/management indicators
  • Unexpected user accounts, new SSH keys, altered NAT/DNS/port‑forwarding rules, disabled security features, or unfamiliar scheduled tasks/configuration files.
• Behavioural patterns
  • Intermittent proxying or tunneling activity, HTTP request modification, DNS hijacks, or sudden spikes in outbound traffic by devices that normally serve small user counts.

Remediation and recovery

1. Preserve evidence: collect config snapshots, certificate dumps, and syslogs before making changes.
2. Rebuild vs. remediate: for confirmed compromise, prefer factory reset and re‑provision from known‑good configuration or replace device entirely rather than partial cleanup.
3. Harden after restore: apply secure admin passwords, disable remote management unless required, enforce management over VPN, and install vendor firmware or supported replacements.
4. Network controls: implement egress filtering, DNS controls, and proxying to detect and block malicious outbound flows from compromised devices.
5. Monitor post‑recovery: maintain heightened telemetry for 30–90 days to detect re‑infections or lateral follow‑on activity.

Longer‑term mitigations and strategy

• Asset lifecycle management: add router lifecycle checks to inventory and replace unsupported devices proactively.
• Management‑plane segregation: place all device management on a dedicated management network with MFA, jump hosts, and strict ACLs.
• Secure defaults and posture: disable vendor cloud features (AiCloud or similar) unless required; require authentication and mTLS for any remote management APIs.
• Network segmentation: isolate IoT/edge devices from critical corporate networks and archives; use microsegmentation for branch/remote sites.
• Vendor and supply governance: require vendor security SLAs and timely EoL notifications; prefer appliances with clear patching timelines or managed services.
• Threat intel sharing: subscribe to feeds for ORB/routers‑targeting botnets, block IoCs and collaborate with ISPs for takedown when feasible.

Final thought

Operation WrtHug highlights a persistent truth: devices designed for trusted, internal networks become critical attack surfaces when left exposed on the internet and unsupported. The fastest effective defenses are inventory and isolation—know every edge device you operate, shrink its attack surface, and replace EoL kit. Treat router management like any other critical system: segmented, monitored, and maintained on a defined lifecycle.