- Thousands of expired ASUS routers hijacked in “Operation WrtHug” cyberespionage botnet
- Chinese State-Sponsored Actors Exploit Multiple n-Day Flaws Using 100-Year-Old TLS Certificates
- Compromised routers form relay network, mainly in Taiwan and Southeast Asia
Thousands of expired ASUS routers are being hijacked and assimilated into a botnet used as infrastructure for cyberespionage operations, experts have warned.
Security researchers SecurityScorecard, together with Asus, discovered and reported on the malicious campaign, stating that a group of Chinese state-sponsored threat actors have been exploiting multiple vulnerabilities in several ASUS routers to implement a unique self-signed certificate.
The abused vulnerabilities include CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492. These are all n-day bugs, meaning they have been around for a relatively long time. However, since the targeted endpoints reached end of life, most never received the update or were simply not patched by their users.
chinese activity
Here is the list of the models that are being assimilated into the botnet:
4G-AC55U
4G-AC860U
DSL-AC68U
GT-AC5300
GT-AX11000
RT-AC1200HP
RT-AC1300GPLUS
RT-AC1300UHP
The number of hijacked routers is counted “in the thousands,” according to the report. They all share a single, self-signed TLS certificate with an expiration date of 100 years.
“This unusually durable certificate is a critical indicator of compromise and points to a level of coordination that reflects careful and calculated espionage,” the researchers said.
The infected routers become part of a large operational relay network, similar to other Operational Relay Box (ORB) campaigns linked to China.
Routers become nodes that allow actors to route their own spy traffic through innocent people’s routers, hide their true origin when conducting intrusions, build a resilient, globally distributed C2 infrastructure, and ultimately orchestrate attacks against high-value geopolitical targets.
The vast majority of compromised routers are located in Taiwan and Southeast Asia, which aligns perfectly with Chinese national interests. No compromised routers were said to have been found in mainland China.
The campaign is called “Operation WrtHug” as the devices run a firmware called AsusWRT.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
