Close Menu
Cybercrime and Ransomware

New WrtHug Campaign Hijacks Thousands of End-of-Life ASUS Routers

Staff WriterBy No Comments4 Mins Read4 Views

Top Highlights

  1. Thousands of outdated ASUS WRT routers globally, primarily in Taiwan, Southeast Asia, Russia, Central Europe, and the US, have been hijacked in Operation WrtHug, exploiting six vulnerabilities, mainly through command injection flaws.
  2. The campaign uses a persistent malicious TLS certificate with a 100-year lifetime, replacing legitimate certificates in 50,000 infected devices, which are believed to serve as stealth relay nodes for Chinese hacking operations.
  3. Critical vulnerabilities like CVE-2025-2492, a severe flaw in ASUS routers, were exploited via the AiCloud service, with attackers deploying targeted intrusion techniques without updating device firmware.
  4. ASUS has released security patches for these vulnerabilities; affected users should upgrade firmware or replace unsupported devices, with the malware supporting potential future exploits through recent authentication bypass fixes.

Problem Explained

Over the past six months, a global cyber campaign called Operation WrtHug has targeted thousands of ASUS WRT routers, predominantly older or end-of-life models. The attackers exploited six known vulnerabilities—many involving command injection flaws—to infiltrate devices mainly located in Taiwan, Southeast Asia, Russia, Central Europe, and the United States, while notably avoiding Chinese networks. The compromised routers, such as the RT-AC1200HP or GT-AX11000, were not updated post-infection, leaving them vulnerable to further exploitation or use as clandestine relay nodes, potentially for espionage purposes. Researchers from SecurityScorecard’s STRIKE team identified roughly 50,000 infected IPs using a distinctive, long-lived self-signed TLS certificate issued in AiCloud services, indicating a coordinated effort likely linked to prior campaigns like AyySSHush, although attribution to a specific group remains uncertain.

The attack began by exploiting several critical vulnerabilities, including severe command injection flaws. Notably, one vulnerability (CVE-2025-2492) had a high severity score and was publicly warned about by ASUS earlier in April. The campaign appears to leverage the AiCloud service on these routers to deploy a stealthy intrusion network, potentially serving as covert command-and-control platforms, possibly for Chinese hacking operations. ASUS has released firmware updates to fix these security issues, urging affected users to upgrade or replace devices with unsupported models, as unpatched routers could become persistent targets for ongoing malicious activities. While the research hints at strategic use of these compromised devices, detailed post-infection activities remain undisclosed.

What’s at Stake?

The recent surge of the ‘New WrtHug’ campaign hijacking thousands of end-of-life ASUS routers underscores a pressing threat that could directly impact your business’s security and operations; as these compromised devices become gateways for malicious cyber activities, your company could face data breaches, service outages, or even costly disruptions if sensitive information is stolen or system controls are manipulated. This vulnerability is especially critical because many businesses rely on aging routers still in use, often lacking necessary security updates, which cybercriminals exploit to infiltrate internal networks. Such a breach could lead to significant financial losses, damage to your reputation, and operational downtime, emphasizing the urgent need to identify, update, or replace outdated networking hardware before malicious actors target your infrastructure.

Possible Actions

Timely remediation is crucial in addressing security threats like the ‘New WrtHug’ campaign hijacking thousands of end-of-life ASUS routers because delays can lead to increased vulnerability, data breaches, and widespread disruption. Acting swiftly helps minimize impact, restore secure operations, and prevent further exploitation.

Containment Measures

  • Isolate affected routers from the network to prevent lateral movement of malicious activity.

Update Firmware

  • Deploy official firmware updates to patch known vulnerabilities or disable compromised functionalities.

Access Control

  • Change default passwords, enforce strong authentication, and disable unnecessary remote access services.

Monitoring & Alerts

  • Implement continuous network monitoring for unusual traffic patterns and set up alert mechanisms for anomalies.

Device Retirement

  • Identify and remove end-of-life devices that no longer receive security updates to prevent further compromise.

User Education

  • Inform users about the risks and best practices for router security to enhance overall hygiene.

Vendor Coordination

  • Collaborate with ASUS or relevant vendors for guidance, patch releases, and support in mitigation efforts.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.