{"id":3580,"date":"2025-11-20T05:30:22","date_gmt":"2025-11-20T05:30:22","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/11\/20\/china-linked-operation-wrthug-hijacks-thousands-of-asus-routers\/"},"modified":"2025-11-20T05:30:22","modified_gmt":"2025-11-20T05:30:22","slug":"china-linked-operation-wrthug-hijacks-thousands-of-asus-routers","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/11\/20\/china-linked-operation-wrthug-hijacks-thousands-of-asus-routers\/","title":{"rendered":"China-Linked Operation \u201cWrtHug\u201d Hijacks Thousands of ASUS Routers"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new China-linked threat campaign has already compromised thousands of ASUS WRT routers around the world in a bid to build a new espionage network, SecurityScorecard has warned.<\/p>\n<p>The firm\u2019s STRIKE team claimed in a new report today that Operation \u201cWrtHug\u201d exploits six mainly legacy vulnerabilities in order to gain elevated privileges on end-of-life SOHO devices.<\/p>\n<p>These flaws \u2013 CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492 \u2013 exploit the ASUS AiCloud service and OS injection vulnerabilities to enable persistence, the report noted.<\/p>\n<p>Most of the infected devices also shared the same self-signed TLS certificate with an expiration date of 100 years.<\/p>\n<p>\u201cThe STRIKE team first identified this global infrastructure campaign while researching a suspicious self-signed Transport Layer Security (TLS) certificate proliferating across thousands of devices with clusters of geographic targets,\u201d the report noted.<\/p>\n<p>\u201cThe campaign is not explicitly an ORB [operational relay box], but STRIKE assesses that it bears striking resemblance to other Chinese ORB and botnet operations.\u201d<\/p>\n<h2>China the Likely Culprit<\/h2>\n<p>One of these operations was \u201cAyySSHush,\u201d a China-linked operation which also exploited CVE-2023-39780 to target end-of-life ASUS routers. In fact, SecurityScorecard claimed the threat actors behind both may be either the same entity,\u00a0or at least\u00a0collaborating.<\/p>\n<p><em>Read more on ASUS threats: Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign<\/em><\/p>\n<p>Up to 50% of the victims in Operation WrtHug are located in Taiwan, adding another reason to suspect Chinese adversaries. The report also pointed to seven IPs with signs of compromise in both Operation WrtHug and AyySSHush.<\/p>\n<p>\u201cDue to this noticeable alignment with previous TTPs in ORB campaigns from Chinese advanced persistent threat (APT) actors, as well the geographical focus of the campaign, we assess with low-to-moderate confidence that Operation WrtHug is an ORB facilitation campaign from an unknown China-affiliated actor,\u201d the report explained.<\/p>\n<p>\u201cThis incident underscores the critical need for regular updates, vigilance against outdated services, and proactive monitoring to counter sophisticated, state-sponsored intrusion campaigns that continually evolve their tactics to achieve global espionage reach.\u201d<\/p>\n<p>SecurityScorecard security researcher, Gilad Maizles, added that the report also reveals a growing strategic interest from nation state groups in using consumer infrastructure as staging points for attacks.<\/p>\n<p>\u201cOperation WrtHug is a case study in how nation-state actors are embedding themselves in consumer infrastructure to build stealthy, resilient, global espionage networks,\u201d he added.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new China-linked threat campaign has already compromised thousands of ASUS WRT routers around the world in a bid to build a new espionage network, SecurityScorecard has warned. The firm\u2019s STRIKE team claimed in a new report today that Operation \u201cWrtHug\u201d exploits six mainly legacy vulnerabilities in order to gain elevated privileges on end-of-life SOHO<\/p>\n","protected":false},"author":2,"featured_media":3581,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3580","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3580-a2a9b043-d225-4c30-8f00-128472f2fda1-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3580"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3580\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3581"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3580"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}