In the shadowy underbelly of global cybersecurity, a sophisticated campaign dubbed Operation WrtHug has silently commandeered tens of thousands of outdated ASUS routers, transforming them into a sprawling, hidden network. Discovered by SecurityScorecard’s STRIKE team, this operation exploits six known vulnerabilities in end-of-life (EoL) devices, primarily affecting regions like Taiwan, the U.S., and Russia, with ripples extending to Southeast Asia and Europe.

Over the past six months, researchers have identified more than 50,000 unique IP addresses linked to these compromised routers. Each infected device shares a peculiar self-signed TLS certificate with a 100-year expiration date starting from April 2022, a hallmark that has raised alarms across the industry. According to The Hacker News, 99% of these services are tied to ASUS’s proprietary AiCloud feature, which allows remote access to local storage but has become a vector for high-privilege exploits.

Unveiling the Exploitation Chain

The attackers chain command injections and authentication bypasses to deploy persistent backdoors via SSH, often leveraging legitimate router features to survive reboots and firmware updates. SecurityScorecard notes that the campaign bears similarities to China-linked Operational Relay Boxes (ORBs) and botnets, though it isn’t classified as one outright. “It leverages the proprietary AiCloud service with n-day vulnerabilities in order to gain high privileges on End-Of-Life ASUS WRT routers,” the company stated in its report shared with The Hacker News.

Six specific vulnerabilities are at play: CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, and CVE-2024-12912, with an additional mention of CVE-2025-2492 in related analyses. Notably, CVE-2023-39780 overlaps with another Chinese-origin botnet called AyySSHush, also known as ViciousTrap. Seven IP addresses show signs of compromise by both WrtHug and AyySSHush, hinting at potential connections, though evidence remains circumstantial.

Targeted Models and Geographic Spread

The list of vulnerable ASUS models includes the Wireless Router 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP. These are predominantly EoL devices, meaning they no longer receive security patches, making them prime targets for such campaigns. BleepingComputer reports that thousands of these routers have been hijacked globally, with a focus on outdated hardware.

Infections are most prevalent in Taiwan, the U.S., and Russia, but MalwareTips Forums highlights extensions to Southeast Asia and Europe. This geographic pattern, combined with tactical overlaps, points to a possible China-affiliated actor, as suggested by SecurityScorecard. “This research highlights the growing trend of malicious threat actors targeting routers and other network devices in mass infection operations,” the firm emphasized, noting these are commonly linked to China Nexus actors.

Echoes of Past Campaigns and ORB Networks

Operation WrtHug echoes other router-targeting efforts, such as LapDogs and PolarEdge, which have also exploited similar flaws in recent months. Posts on X from The Hacker News describe how hackers used six known bugs to build this massive hidden network, still active as of November 19, 2025, with each router bearing that anomalous 100-year certificate.

Comparisons to ORBs are apt; these networks serve as covert relays for espionage. While not explicitly an ORB, WrtHug’s methods—careful proliferation and deep entrenchment—mirror those seen in Chinese state-sponsored operations. IT Pro reports that researchers believe WrtHug is carried out by Chinese state-sponsored hackers, targeting thousands of routers in a cyber espionage campaign.

ASUS’s Response and Industry Warnings

ASUS has acknowledged router vulnerabilities in past statements. In a June 4, 2025, official response on their website, the company addressed media reports on exploit attempts, urging users to update firmware and enable security features. However, for EoL models, no fixes are forthcoming, leaving owners vulnerable.

Tom’s Guide advises users to check for firmware updates, change default passwords, disable remote access like AiCloud if unused, and consider replacing EoL devices. Security experts warn that such campaigns lay groundwork for stealthy espionage, with The Register noting attacks on over 50,000 more ASUS routers by an evolving Beijing-linked operation.

The Broader Implications for Network Security

Beyond immediate infections, WrtHug underscores a systemic issue: the proliferation of unpatched IoT devices in critical networks. Infosecurity Magazine links the campaign to Chinese actors hijacking thousands of routers globally, emphasizing the risks to home and enterprise users alike.

Industry insiders point to the need for better lifecycle management of network hardware. “By chaining command injections and authentication bypasses, threat actors have managed to deploy persistent backdoors via SSH,” SecurityScorecard explained, highlighting how attackers abuse features to maintain presence. This persistence allows for data exfiltration, traffic rerouting, or further malware deployment.

Defensive Strategies and Future Outlook

To mitigate risks, experts recommend network segmentation, regular vulnerability scanning, and adopting zero-trust models for IoT devices. SecurityBrief details how the campaign exploits outdated software, primarily in Taiwan, for covert spying.

Looking ahead, as router hijackings rise, regulatory bodies may push for stricter IoT security standards. BankInfoSecurity reports suspected Chinese cyberespionage hackers commandeering tens of thousands of ASUS routers, with a heavy emphasis on devices in strategic locations. The operation’s scale suggests it’s just the tip of a larger iceberg in state-sponsored cyber activities.

Expert Insights and Ongoing Threats

Quotes from recent X posts by The Hacker News warn of the active threat: “Hackers just took over tens of thousands of old ASUS routers around the world. They used six known bugs to build a massive hidden network — still active right now.” This sentiment echoes across platforms, with calls for immediate action.

SecurityScorecard’s analysis concludes that these campaigns are executed “in a careful and calculated manner to expand and deepen their global reach.” As threats evolve, staying ahead requires vigilance, timely patches, and a proactive stance against the silent sieges of our digital infrastructure.