Operation WrtHug is a large-scale exploitation campaign targeting end-of-life ASUS WRT routers by chaining six known vulnerabilities (including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492) to gain unauthorized control over tens of thousands of devices globally. The attackers exploit flaws primarily in the ASUS AiCloud service, which enables remote access to local storage, leveraging n-day vulnerabilities to escalate privileges and deploy persistent SSH backdoors that survive reboots and firmware updates. The infected routers share a unique self-signed TLS certificate valid for 100 years, indicating a coordinated campaign. The compromised devices form a botnet infrastructure, potentially used for further malicious activities such as distributed denial-of-service (DDoS) attacks, data exfiltration, or as a foothold for lateral movement within networks. The campaign shows similarities to other China-linked Operational Relay Box (ORB) botnets, with some overlap noted with the AyySSHush botnet. Targeted router models include popular ASUS Wireless Routers such as 4G-AC55U, GT-AX11000, and RT-AC1300UHP, all of which are no longer supported with security updates. The campaign highlights the increasing trend of threat actors exploiting IoT and network devices to build resilient botnets, emphasizing the risks posed by unpatched, end-of-life hardware. The origin is suspected to be a China-affiliated actor based on targeting patterns and tactics, though no definitive attribution is confirmed.

European organizations using affected ASUS router models are at significant risk due to the potential compromise of their network gateways. Infected routers can be co-opted into botnets, enabling attackers to launch large-scale DDoS attacks that can disrupt business operations and critical infrastructure. The persistence of backdoors allows attackers to maintain long-term access, potentially facilitating espionage, data interception, or lateral movement into internal networks. Given that many routers are deployed in small and medium enterprises and home offices, the infection can serve as a stepping stone to compromise larger organizational networks. The exploitation of widely used ASUS AiCloud services increases the attack surface, especially for organizations relying on remote access features. The lack of patches for end-of-life devices means vulnerabilities remain unmitigated, increasing exposure. Additionally, the campaign's scale and stealthy persistence mechanisms complicate detection and remediation efforts. The presence of infected routers in Europe could also be leveraged to target European critical infrastructure or government networks, raising national security concerns.

1. Conduct comprehensive network audits to identify all ASUS router models in use, focusing on those listed as targeted by the campaign. 2. Immediately isolate or disconnect end-of-life ASUS routers that cannot be updated or patched from the network. 3. Disable ASUS AiCloud services if not explicitly required, as this service is a primary attack vector. 4. Replace EoL routers with currently supported models that receive regular security updates. 5. Implement network segmentation to limit the exposure of critical systems to compromised routers. 6. Monitor network traffic for unusual outbound connections or SSH activity indicative of backdoor presence. 7. Deploy intrusion detection systems (IDS) tuned to detect known indicators of compromise related to WrtHug and similar botnets. 8. Educate users and IT staff about the risks of using unsupported network devices and the importance of timely hardware upgrades. 9. Collaborate with ISPs and vendors to identify and remediate infected devices at scale. 10. Apply strict access controls and multi-factor authentication for remote management interfaces to reduce exploitation risk.