Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys.
The campaign was discovered by GreyNoise security researchers in mid-March 2025, who reports that it carries the hallmarks of a nation-state threat actor, though no concrete attributions were made.
The threat monitoring firm reports that the attacks combine brute-forcing login credentials, bypassing authentication, and exploiting older vulnerabilities to compromise ASUS routers, including the RT-AC3100, RT-AC3200, and RT-AX55 models.
Specifically, the attackers exploit an old command injection flaw tracked as CVE-2023-39780 to add their own SSH public key and enable the SSH daemon to listen on the non-standard TCP port 53282. This modifications allow the threat actors to retain backdoor access to the device even between reboots and firmware updates.
"Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades," explains another related report by GreyNoise.
"If you've been exploited previously, upgrading your firmware will NOT remove the SSH backdoor."
The attack is particularly stealthy, involving no malware, while the attackers also turn off logging and Trend Micro's AIProtection to evade detection.
Characteristically, GreyNoise reports logging just 30 malicious requests associated with this campaign over the past three months, though 9,000 ASUS routers have been infected.
Still, three of those requests were enough to trigger GreyNoise's AI-powered analysis tool that flagged them for human inspection.
The campaign likely overlaps with the activity Sekoia tracks as "Vicious Trap," disclosed last week, though the French cybersecurity firm reported that threat actors leveraged CVE-2021-32030 to breach ASUS routers.
In the campaign seen by Sekoia, the threat actors were observed targeting SOHO routers, SSL VPNs, DVRs, and BMC controllers from D-Link, Linksys, QNAP, and Araknis Networks.
The exact operational goal of AyySSHush remains unclear, as there are no signs of distributed denial of service (DDoS) or using the devices to proxy malicious traffic through the ASUS routers.
However, in the router breaches observed by Sekoia, a malicious script was downloaded and executed to redirect network traffic from the compromised system to third-party devices controlled by the attacker.
Currently, it appears the campaign quietly builds a network of backdoored routers to create the groundwork for a future botnet.
ASUS has released security updates that address CVE-2023-39780 for the impacted routers, though the exact time of availability varies per model.
Users are recommended to upgrade their firmware as soon as possible and look for suspicious files and the addition of the attacker's SSH key (IoCs here) on the 'authorized_keys' file.
Also, GreyNoise lists four IP addresses associated with this activity, which should be added to a block list.
101.99.91[.]151
101.99.94[.]173
79.141.163[.]179
111.90.146[.]237
If a compromise is suspected, a factory reset is recommended to clean the router beyond doubt and then reconfigure it from scratch using a strong password.
(Score: 2) by JoeMerchant on Friday May 30, @08:23PM
I realize brands are near meaningless these days, but I feel like I have been somewhat blessed with my choice of Netgear for my SOHO WiFi routers... I read the list of affected vendors and Netgear seems rarely to be in there.
It did come with uPnP enabled by default, I didn't like how that played out with a camera I put on my network that automatically opened itself a port in the firewall for internet viewing, which I didn't discover until over a year later.
Otherwise, it seems that remote management is off by default, and if they have backdoors they have been more successful at keeping them secret than others...
🌻🌻🌻 [google.com]
(Score: 1, Interesting) by Anonymous Coward on Saturday May 31, @04:50AM
This applies if you have the administrative web interface exposed to the open internet.
There are "theories" of websites being able to run scripts against local IPs and attack your router, but modern browsers block local IP subnet access.
Then this is a thing that applies to businesses where the outsourced IT manager didn't want to install a VPN on anything, and instead exposed the router to the open internet. Sigh. If not that, you're probably fine - regardless of your router's age.
Trying to keep things out of the landfill, it sucks. For older routers (5+ years), even openwrt doesn't support them any longer, and so what are you to do -- but assess the security aspects on your own and make a decision.