A Chinese state-sponsored threat actor has compromised tens of thousands of Asus routers to establish a persistent network in support of global espionage campaigns, SecurityScorecard reports.
As part of the apparent Operational Relay Box (ORB) facilitation campaign, dubbed Operation WrtHug (PDF), the hackers exploited known vulnerabilities to compromise the routers’ AiCloud service, which enables users to access local storage from the internet.
The exploited bugs include CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, and CVE-2023-39780 (CVSS score of 8.8), which are high-severity command injection issues rooted in the insufficient filtering of special characters.
Additionally, the threat actor was seen exploiting two AiCloud service bugs, namely CVE-2024-12912, a high-severity command execution defect, and CVE-2025-2492, a critical-severity improper authentication control flaw.
On all compromised devices, mostly discontinued models, the hackers installed a shared, self-signed TLS certificate that has a 100-year expiration period from April 2022, which can be used as an indicator-of-compromise (IoC).
“Once the hackers compromise a device, it becomes part of a global network of infected routers. SecurityScorecard’s STRIKE team identified over 50,000 unique IP addresses belonging to these compromised devices over the last six months,” SecurityScorecard notes.
Most of the devices (between 30% and 50%) are in Taiwan, but the cybersecurity firm also identified clusters in the US, Russia, Southeast Asia, and Europe.
This is the second China-linked ORB operation targeting internet-accessible Asus routers, after the AyySSHush network was uncovered earlier this year.
“This campaign appears to be a part of a growing set of campaigns from China-linked hackers looking to quietly develop a massive network of infected devices they can use to establish persistent presence and remain hidden,” SecurityScorecard says.
The security firm has identified only seven IP addresses compromised in both WrtHug and AyySSHush attacks and believes that they could be a single, evolving campaign, or that the same threat actor is behind both. It does not exclude that they could be operated by two groups that coordinate their activities.
“For the time being, we lack substantial evidence beyond the shared vulnerability to support these speculations. We will continue to track Operation WrtHug as a separate campaign until such evidence arises,” the company notes.
All the vulnerabilities exploited in these campaigns have been patched and are mainly present in outdated and discontinued models, including 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP.
Users are advised to apply patches for the exploited vulnerabilities as soon as possible or to replace older Asus router devices with newer, supported models.
Related: CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks
Related: Microsoft: Russia, China Increasingly Using AI to Escalate Cyberattacks on the US
Related: China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years
Related: Man Helped Individuals in China Get Jobs Involving Sensitive US Government Projects
