WrtHug Attack Hijacks Tens of Thousands of ASUS Home Routers

A newly uncovered cyber-espionage operation, dubbed Operation WrtHug, has compromised tens of thousands of ASUS routers worldwide—quietly transforming everyday home and small-office devices into nodes in a sprawling reconnaissance and relay network. 

According to SecurityScorecard researchers, the campaign has been active for months and represents a significant escalation in router-based intrusion activity. 

Cybersecurity experts warned that compromised home routers are quickly becoming prime infrastructure for threat actor operations.

“While many organizations routinely scan for known vulnerabilities and replace end-of-life devices, most home users don’t have that luxury. As long as the internet works, they rarely think about their router,”  said Hüseyin Can Yüceel, Security Research Lead at Picus Security.

He added, “This leaves many outdated but still functioning devices exposed online and creates opportunities for adversaries to hijack them, steal data, or build large botnets.”

“Home routers are often an easy target for threat actors because they are often outdated and not patched,” said Riley Kilmer, Co-Founder at Spur Intelligence.

She added, “Networks like NSocks and PremSocks target these devices because they can sell proxy access to other groups that are highly sticky and allow their customers to blend in with the victim’s home traffic. APT groups also leverage these vulnerable devices for their own private network of operational relay boxes for their next stage attacks.”

Inside the Global ASUS Router Hijacking Surge

The researchers found more than 50,000 unique IP addresses tied to infected routers over the past six months. 

The attackers appear to focus heavily on End-of-Life (EoL) ASUS WRT routers, exploiting a collection of known vulnerabilities — including CVE-2023-41345 through CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492 — to gain privileged access to the devices.

Nearly all compromised systems were running ASUS AiCloud, a proprietary remote-access service, and all shared a unique self-signed TLS certificate valid for 100 years, which serves as a global tracking fingerprint. 

Geographic analysis revealed concentrated targeting in Taiwan, with additional clusters in the U.S., Russia, Southeast Asia, and parts of Europe. 

Operation WrtHug represents an evolution in state-aligned cyber-espionage: instead of relying on traditional botnets or compromised servers, threat actors are forming decentralized networks of hijacked consumer routers that are difficult to detect and even harder to eradicate. 

The campaign’s targeting patterns align with broader geopolitical tensions and espionage objectives attributed to China-nexus groups.

The operation also underscores the long-term security risks of legacy hardware. EoL devices that no longer receive patches remain widely deployed and are increasingly weaponized by advanced actors as stealthy, persistent infrastructure.

Unpatched ASUS Routers Enable Global Spy Network

The campaign is driven by the exploitation of “Nth-day” vulnerabilities — publicly known flaws for which many devices remain unpatched. 

Because ASUS has retired support for several affected router models, attackers have found consistent success exploiting these outdated systems. 

Once a router is compromised, it becomes part of a larger espionage-oriented infrastructure that mirrors prior Operational Relay Box (ORB) campaigns linked to China-affiliated threat actors.

Researchers noted a particular overlap with AyySSHush, another suspected Chinese ORB operation that also targets ASUS devices via CVE-2023-39780. 

Only a handful of devices showed signs of dual compromise, but the shared vulnerability and similar tactics suggest possible coordination or shared tooling.

After exploiting vulnerable services — primarily AiCloud, but sometimes extending into management panels — the attackers appear to deploy multiple stages of persistence and control. 

Infection indicators include the shared TLS certificate, unusual outbound traffic patterns, and evidence of deeper system compromise affecting administrative interfaces.

Mitigating ORB Risks  

The scale and sophistication of Operation WrtHug shows how quickly compromised home routers can become part of global espionage infrastructure — and why enterprises can’t afford to overlook them. 

Even though the primary infections target consumer devices, the risks extend directly into corporate environments through remote workers, unmanaged hardware, and insecure network pathways. 

Defending against this threat requires treating home-network equipment as part of the attack surface, not an afterthought.

Security teams should take the following steps:

• Replace or remove all end-of-life ASUS WRT routers on corporate or remote-worker networks and apply firmware updates to supported models.
• Disable or tightly control remote-management services like AiCloud and block or monitor related traffic unless explicitly required.
• Inspect network and VPN logs for indicators of WrtHug compromise, including the campaign’s unique 100-year TLS certificate or anomalous outbound router activity.
• Segment corporate networks and apply strict access controls to prevent home-network devices from reaching sensitive systems.
• Audit remote-work environments for outdated firmware, insecure router configurations, or vulnerable employee-owned devices.
• Enforce VPN, SASE, or device-posture requirements to ensure remote traffic passes through secure gateways rather than directly through home routers.
• Monitor for unusual scanning, proxy behavior, or abnormal connections that could indicate router-based ORB activity or attempted lateral movement.

Operation WrtHug is a reminder that even consumer-grade hardware can become part of an adversary’s global infrastructure if it’s left unpatched or unmonitored. 

Strengthening resilience requires treating home routers and remote-worker devices as extensions of the corporate perimeter, with the same rigor applied to enterprise systems.

State Actors Now Weaponize Everyday Home Devices

Operation WrtHug underscores a growing shift in cyber-espionage, where state-linked actors increasingly weaponize ordinary consumer devices to build stealthy relay networks that obscure their operations. 

As these ORB-style campaigns become more advanced, defenders must widen their threat models beyond traditional enterprise systems to account for the insecure — and often overlooked — devices sitting at the edges of modern networks.

This expanding threat surface reinforces the need for organizations to adopt zero-trust principles to limit attacker movement across all environments.