A new China-linked threat campaign has already compromised thousands of ASUS WRT routers around the world in a bid to build a new espionage network, SecurityScorecard has warned.
The firm’s STRIKE team claimed in a new report today that Operation “WrtHug” exploits six mainly legacy vulnerabilities in order to gain elevated privileges on end-of-life SOHO devices.
These flaws – CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492 – exploit the ASUS AiCloud service and OS injection vulnerabilities to enable persistence, the report noted.
Most of the infected devices also shared the same self-signed TLS certificate with an expiration date of 100 years.
“The STRIKE team first identified this global infrastructure campaign while researching a suspicious self-signed Transport Layer Security (TLS) certificate proliferating across thousands of devices with clusters of geographic targets,” the report noted.
“The campaign is not explicitly an ORB [operational relay box], but STRIKE assesses that it bears striking resemblance to other Chinese ORB and botnet operations.”
China the Likely Culprit
One of these operations was “AyySSHush,” a China-linked operation which also exploited CVE-2023-39780 to target end-of-life ASUS routers. In fact, SecurityScorecard claimed the threat actors behind both may be either the same entity, or at least collaborating.
Read more on ASUS threats: Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign
Up to 50% of the victims in Operation WrtHug are located in Taiwan, adding another reason to suspect Chinese adversaries. The report also pointed to seven IPs with signs of compromise in both Operation WrtHug and AyySSHush.
“Due to this noticeable alignment with previous TTPs in ORB campaigns from Chinese advanced persistent threat (APT) actors, as well the geographical focus of the campaign, we assess with low-to-moderate confidence that Operation WrtHug is an ORB facilitation campaign from an unknown China-affiliated actor,” the report explained.
“This incident underscores the critical need for regular updates, vigilance against outdated services, and proactive monitoring to counter sophisticated, state-sponsored intrusion campaigns that continually evolve their tactics to achieve global espionage reach.”
SecurityScorecard security researcher, Gilad Maizles, added that the report also reveals a growing strategic interest from nation state groups in using consumer infrastructure as staging points for attacks.
“Operation WrtHug is a case study in how nation-state actors are embedding themselves in consumer infrastructure to build stealthy, resilient, global espionage networks,” he added.
