A newly uncovered cyber-espionage campaign has compromised tens of thousands of ASUS WRT routers worldwide, turning end-of-life home and SOHO devices into a stealthy network for intelligence gathering, security researchers said Wednesday. The operation, tracked by SecurityScorecard’s STRIKE team, has been named Operation WrtHug.
SecurityScorecard researchers say the attackers chain together six known vulnerabilities in ASUS devices to gain elevated privileges and persistent access on unsupported routers:
- CVE-2023-41345
- CVE-2023-41346
- CVE-2023-41347
- CVE-2023-41348
- CVE-2024-12912
- CVE-2025-2492
Many of the targeted devices run the ASUS AiCloud service and are no longer receiving vendor updates.
A distinct technical fingerprint helped investigators spot the campaign: infected devices were found to share the same self-signed TLS certificate, unusually set to expire in 100 years. That long-lived certificate acts as a strong indicator of compromise and allowed researchers to correlate thousands of affected devices across geographic clusters.
According to the report and corroborating coverage, the bulk of affected routers appear concentrated in Taiwan, with substantial numbers also detected in countries across Asia, Europe and the United States. Security analysts note the geographic pattern and the operation’s tactics bear similarities to prior China-linked campaigns, leading to assessments that the activity likely has a China nexus.
SecurityScorecard’s STRIKE team compared WrtHug to earlier ORB-style operations and botnet campaigns that exploited end-of-life routers, suggesting either an evolution of a known actor or collaboration between groups that have reused attack techniques and tooling. The operation demonstrates how nation-scale espionage actors can leverage neglected consumer networking gear to build resilient espionage infrastructure.
ASUS has an active security advisory page and has issued patches for several router vulnerabilities in 2025; researchers and vendors urge users to update firmware, disable exposed services such as AiCloud when possible, and replace devices that are no longer supported. Organizations relying on SOHO routers for remote access are advised to monitor for the unique certificate indicator and scan their edge devices for signs of compromise.
The discovery underlines a persistent problem in the internet’s supply chain: outdated consumer routers, widely deployed and rarely patched, remain a fast route for sophisticated actors to gain footholds at the network edge. Security teams say combating such campaigns requires stronger lifecycle management for edge devices, better telemetry from vendors, and proactive network monitoring to detect large-scale, long-running intrusions.
Source: Canaltech
