SecurityScorecard reveals large-scale exploitation of outdated Asus routers in a new global espionage campaign linked to Chinese state-sponsored threat actors.
A newly uncovered Asus router hack has compromised more than 50,000 devices worldwide, forming a massive, persistent network used to support Chinese state-linked espionage operations.
According to a detailed investigation by cybersecurity firm SecurityScorecard, the large-scale intrusion named Operation WrtHug appears to be part of an expanding series of cyber campaigns designed to establish hidden, long-term infrastructure using vulnerable consumer and small office routers.
SecurityScorecard’s researchers attribute the activity to a China-backed threat actor that targeted internet-exposed Asus routers running the company’s AiCloud remote-access service.
By exploiting several publicly known vulnerabilities, the hackers were able to gain administrative access, implant persistent certificates, and quietly fold tens of thousands of routers into a globally distributed network.
The operation centers around multiple high-severity command injection vulnerabilities, including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, and CVE-2023-39780, each carrying a CVSS score of 8.8. These flaws are rooted in insufficient sanitization of special characters within AiCloud, enabling attackers to execute arbitrary commands on targeted devices.
In addition, the threat group was observed exploiting two further AiCloud bugs:
- CVE-2024-12912, a command execution issue rated high-severity, and
- CVE-2025-2492, a critical flaw involving improper authentication controls.
Once the intrusions were successful, the attackers installed a self-signed TLS certificate valid for 100 years from April 2022. This certificate was deployed across all compromised routers, mostly older or discontinued models and now serves as a clear indicator of compromise (IoC) for defenders and network analysts.
SecurityScorecard’s STRIKE team identified more than 50,000 unique IP addresses associated with infected routers over the past six months, highlighting the scale of the operation.
A significant portion of compromised devices, between 30% and 50% reside in Taiwan, which continues to be a major geopolitical focus for China-based cyber actors. Additional clusters were detected in the United States, Russia, Southeast Asia, and various European countries.
Operation WrtHug is not isolated. It follows another China-linked ORB campaign known as AyySSHush, which was exposed earlier this year for similarly targeting Asus routers. Although only seven IP addresses overlap between the two operations, researchers believe they may represent different phases of a single evolving campaign or coordinated efforts between multiple threat groups aligned with the same strategic objectives.
Despite potential connections, SecurityScorecard states that current evidence remains insufficient to formally link the two campaigns beyond shared vulnerabilities and targeting behavior. For now, Operation WrtHug is being tracked independently.
Asus has already patched all vulnerabilities leveraged in these attacks, which primarily affect older, unsupported router models such as 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP.
Security experts strongly advise users to apply the latest firmware updates immediately. For devices no longer receiving updates, the safest option is to replace them with newer, supported models.
Failure to do so may leave devices vulnerable to future campaigns similar to the current Asus router hack, which demonstrates how outdated home and small business routers continue to serve as attractive targets for advanced threat actors.
Source: Securityweek
