A sophisticated botnet campaign, dubbed AyySSHush, has compromised more than 9,000 ASUS routers, with evidence suggesting the activity may be the work of a nation-state threat actor, according to researchers at GreyNoise.
Discovered in mid-March 2025, the campaign also targets routers from Cisco, D-Link, and Linksys, particularly focusing on small office/home office (SOHO) environments. The attackers reportedly use a mix of brute-force login attempts, authentication bypasses, and old vulnerabilities to gain persistent access.
GreyNoise said that the attackers are exploiting a known command injection flaw (CVE-2023-39780) on ASUS router models RT-AC3100, RT-AC3200, and RT-AX55. By leveraging official ASUS configuration features, attackers add their own SSH key and enable SSH access on a non-standard port (TCP 53282). This backdoor access survives firmware upgrades, making removal particularly difficult.
“The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots,” GreyNoise explained.
The attackers disable logging and Trend Micro’s AiProtection, avoiding detection while not deploying traditional malware. Despite the campaign's scale, GreyNoise logged only 30 malicious requests over three months.
The operation appears to overlap with activity tracked as “Vicious Trap” by French cybersecurity firm Sekoia, which previously reported exploitation of CVE-2021-32030 against ASUS routers. That campaign also targeted a broader range of devices including SSL VPNs, DVRs, BMC controllers, and routers from QNAP and Araknis Networks.
The objective of AyySSHush remains unclear. Unlike typical botnets, there's no sign of DDoS activity or traffic proxying. However, in related campaigns observed by Sekoia, traffic redirection scripts were used to funnel network traffic through compromised devices, possibly for surveillance or data interception.
Earlier this month, GreyNoise said it observed a coordinated reconnaissance campaign involving 251 malicious IP addresses, all originating from Amazon AWS data centers in Japan. Conducted over a single day (May 8), the operation exhibited 75 distinct scanning behaviors, including known CVE exploit attempts and probes for web infrastructure weaknesses. The campaign appeared opportunistic but showed signs of centralized planning, with the temporary use of cloud infrastructure suggesting it was rented for this activity.
