Full Report
A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network. The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have
Analysis Summary
# Incident Report: Operation WrtHug Router Hijacking Campaign
## Executive Summary
Operation WrtHug is a large-scale campaign discovered by SecurityScorecard's STRIKE team that has compromised tens of thousands of outdated or End-of-Life (EoL) ASUS routers globally. The attackers leveraged at least six known vulnerabilities, primarily targeting the proprietary ASUS AiCloud service, to establish persistence and enlist the devices into a massive botnet network. The primary impact lies in the formation of an extensive network of compromised IoT devices, with major concentrations observed in Taiwan, the U.S., and Russia.
## Incident Details
- **Discovery Date:** Undisclosed (Reported November 19, 2025)
- **Incident Date:** Ongoing at time of reporting
- **Affected Organization:** Global users of specific, outdated ASUS router models
- **Sector:** General Internet Infrastructure/Consumer/SOHO
- **Geography:** Worldwide, predominantly Taiwan, U.S., and Russia, with infections also noted in Southeast Asia and Europe.
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-discovery, ongoing.
- **Vector:** Exploitation of known, unpatched vulnerabilities (CVEs) in ASUS WRT firmware.
- **Details:** Attackers chain command injections and authentication bypasses against the proprietary AiCloud service on EoL ASUS routers. Six specific CVEs are implicated in the proliferation.
### Lateral Movement
- **Date/Time:** Post-initial compromise.
- **Vector:** Not explicitly detailed as lateral movement *between* user networks, but focused on persistence *on* the compromised device.
- **Details:** Attackers likely leverage high privileges obtained via AiCloud exploitation to deploy backdoors.
### Data Exfiltration/Impact
- **Date/Time:** Post-persistence establishment.
- **Impact:** Routers are roped into a massive network, similar to an Operational Relay Box (ORB) network.
### Detection & Response
- **Date/Time:** Detected by SecurityScorecard's STRIKE team.
- **Details:** Discovery was made by analyzing devices exhibiting a unique self-signed TLS certificate set to expire 100 years out from April 2022, frequently associated with ASUS AiCloud services.
- **Response Actions:** SecurityScorecard published findings to alert the ecosystem. No specific remediation actions by the affected parties were detailed based solely on this article.
## Attack Methodology
- **Initial Access:** Exploitation of six known vulnerabilities (including CVE-2023-41345 to CVE-2025-2492) via command injection and authentication bypass targeting the ASUS AiCloud service.
- **Persistence:** Deployment of persistent backdoors, often abusing legitimate router features to survive reboots or firmware updates.
- **Privilege Escalation:** Achieved high privileges due to the nature of the targeted service vulnerabilities.
- **Defense Evasion:** Abusing legitimate router features for persistence.
- **Credential Access:** Not explicitly detailed in the article.
- **Discovery:** Implied reconnaissance to identify susceptible ASUS models utilizing the vulnerable AiCloud service.
- **Lateral Movement:** Primarily focused on maximizing hosts within the targeted EoL devices, not traversing enterprise environments.
- **Collection:** Not explicitly detailed, focus is on botnet enrollment.
- **Exfiltration:** Not explicitly detailed, the primary impact is establishing control infrastructure.
- **Impact:** Inclusion of tens of thousands of compromised devices into a global ORB-like botnet.
## Impact Assessment
- **Financial:** Not quantified, but significant due to the scale of the compromised devices.
- **Data Breach:** Not the primary goal; impact is resource utilization and network hijacking.
- **Operational:** Compromised routers are functionally hijacked, potentially leading to traffic forwarding, DDoS participation, or use as proxies.
- **Reputational:** Negative impact on ASUS users due to the exploitation of EoL devices vulnerable through proprietary services.
## Indicators of Compromise
- **Network Indicators (Defanged):** None explicitly provided (requires querying traffic associated with the associated TTPs).
- **File Indicators:** Backdoors deployed via SSH, leveraging legitimate router features.
- **Behavioral Indicators:** Presence of a unique self-signed TLS certificate associated with ASUS AiCloud.
## Response Actions
- **Containment Measures:** Not specified in the provided context, likely requires isolating or updating affected routers.
- **Eradication Steps:** Not specified, but would involve removing persistent backdoors.
- **Recovery Actions:** Flashing clean, updated firmware (if available) or replacing EoL hardware.
## Lessons Learned
- **Key Takeaways:** Threat actors are increasingly targeting EoL/outdated network infrastructure (routers) for mass infection operations (ORBs). Proprietary services like AiCloud present significant attack surfaces when not maintained.
- **What could have been done better:** ASUS users needed to patch or replace their EoL WRT routers, highlighting the danger of running unsupported firmware.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Immediately retire or replace End-of-Life (EoL) networking hardware, especially those utilizing proprietary, internet-facing control services.
2. Disable or remove unnecessary proprietary services (like AiCloud) on routers if they are exposed to the internet.
3. Security researchers and vendors should monitor for overlaps between botnet campaigns (e.g., WrtHug and AyySSHush noted overlap in target exploitation).