A new cyber-espionage campaign dubbed “Operation WrtHug” has compromised tens of thousands of ASUS routers worldwide, according to a report released by cybersecurity firm SecurityScorecard. The operation, which appears to exclusively target ASUS WRT devices, mainly End-of-Life (EoL) models, uses known vulnerabilities to gain high-level control of the routers.
Researchers say the attackers are exploiting a series of OS command injection vulnerabilities, including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348. The issues are collectively associated with CVE-2023-39780, an OS command injection flaw.
Attackers also leveraged CVE-2024-12912 (an arbitrary command execution issue) and CVE-2025-2492 (an improper authentication control issue). Threat actors used the AiCloud service on ASUS devices as initial access point.
SecurityScorecard’s STRIKE team identified more than 50,000 unique IP addresses linked to hijacked ASUS routers over the past six months. Interestingly, the infected devices use a self-signed TLS certificate with a 100-year expiration period, which is a key indicator of compromise allowing to track this campaign.
SecurityScorecard assesses with low-to-moderate confidence that WrtHug is an Operational Relay Box (ORB) facilitation campaign orchestrated by an unknown China-affiliated threat actor. ORB campaigns are intrusion operations carried out by state-sponsored actors to expand global espionage operations.
Taiwan accounts for 30–50% of infected devices, with additional clusters appearing in the US, Russia, Southeast Asia, and Europe. Researchers say this targeting mirrors previous China-linked operations.
The use of command injection vulnerabilities like CVE-2023-39780, has also been observed in another suspected China-nexus ORB campaign tracked as “AyySSHush.”
“The fact that these two campaigns target the same vulnerability on the same types of devices, coupled with the fact that there is a very low number of dual-compromised nodes, leads the research team to speculate about potential coordination between the campaigns,” the report notes.