A sophisticated global cyber campaign, dubbed Operation WrtHug, has been revealed to be hijacking tens of thousands of ASUS WRT routers and converting them into potential espionage tools for suspected China linked hackers.
SecurityScorecard’s STRIKE team, in collaboration with ASUS, disclosed the operation, which exploits outdated router firmware to build a stealthy network infrastructure. This incident highlights the growing risk posed by unpatched, end of life (EoL) consumer devices.
Campaign Scope and Targeting
The operation’s scale is massive, with researchers estimating that 50,000 unique IP addresses have been involved over the last six months. The campaign shows a deliberate geographic focus, heavily targeting Taiwan, where an estimated 30% to 50% of compromised devices are located. Smaller infection clusters have also been found in the U.S., Russia, Japan, South Korea, and central Europe, but notably, mainland China remains largely untouched.
Researchers first identified WrtHug by tracing a suspicious, self signed TLS certificate used across compromised devices. This certificate had an unusually long 100 year expiration date and appeared on 99% of affected ASUS AiCloud services, a feature intended for remote home network access that is now exploited as an entry point.
Technical Exploits and Persistence
The attackers are chaining six known flaws in ASUS firmware to propagate the malware, primarily focusing on N day exploits in AiCloud and OS injection vectors. These vulnerabilities, which have been patched by ASUS, mainly affect older routers running lighttpd or Apache web servers.
The campaign specifically targets ASUS WRT models, many of which are end of life and unpatched, allowing the attackers to inject commands and gain root privileges without changing the device’s outward appearance. The tactics used, such as focusing on Taiwan and achieving persistence via SSH backdoors, suggest the goal is building infrastructure for long term espionage, an approach mirrored in tactics used by China Nexus actors.
Targeted models include the RT-AC1200HP, GT-AC5300, and DSL-AC68U, often found in homes and small offices. Once compromised, the setup allows the hackers to proxy Command and Control (C2) traffic and exfiltrate data.
Recommendations for Users
ASUS urges users to immediately update their firmware and disable unused features like AiCloud on supported devices. For routers identified as end of life, replacement is strongly recommended. Users should also implement network segmentation and monitor TLS certificates for indicators of compromise. This incident underscores the urgent need for vigilance regarding security in Small Office/Home Office (SOHO) networking equipment.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
