Chinese State-Sponsored Hackers Compromise Over 50,000 Asus Routers in Global Espionage Campaign

A Chinese state-sponsored threat actor has carried out a widespread and long-running cyberespionage operation by compromising tens of thousands of Asus routers worldwide, according to new research from SecurityScorecard. The campaign, named Operation WrtHug, reflects a growing trend of China-linked intrusion groups quietly building persistent proxy networks to support intelligence collection and covert operations.

Overview of Operation WrtHug

The attackers targeted Asus routers exposed to the public internet by exploiting multiple known vulnerabilities within the devices’ AiCloud remote-access service. AiCloud allows users to access storage and files over the internet — a feature that becomes dangerous when paired with command-injection flaws.

SecurityScorecard analysts observed the threat actor leveraging several high-severity vulnerabilities, including:

• CVE-2023-41345 – CVE-2023-41348

• CVE-2023-39780

• CVE-2024-12912

• CVE-2025-2492

These issues primarily stem from improper input filtering, allowing attackers to execute commands remotely and take full control of affected devices.

Once compromised, the routers were integrated into a large, distributed network of infected devices — a tactic consistent with China-linked Operational Relay Box (ORB) strategies.

Scale and Global Footprint

SecurityScorecard’s STRIKE team identified over 50,000 unique infected IP addresses within the last six months alone. Those routers now likely serve as:

• relay nodes for espionage operations

• anonymization layers for attacker infrastructure

• footholds for long-term persistent access

Key geographic concentrations include:

• Taiwan (30%–50% of all infected devices)

• the United States

• Russia

• Southeast Asia

• several European countries

Notably, most affected routers are discontinued Asus models, creating a long-term attack surface where unpatched vulnerabilities linger.

Technical Indicators and Persistence

All compromised routers were found to contain a self-signed TLS certificate shared across the botnet with a 100-year expiration date (issued April 2022). This certificate serves as a reliable, high-confidence indicator of compromise (IoC) for defenders.

In addition to the technical intrusions, researchers also identified overlaps between WrtHug and another previously documented China-linked ORB network, AyySSHush. Only seven IP addresses appeared in both datasets, leaving open the possibility that the two operations may be linked or evolving.

Attribution and Assessment

Based on tooling, targeting, and global infrastructure patterns, SecurityScorecard states that the activity strongly aligns with China-nexus threat actors. The operation highlights an increasing shift toward quiet, persistent router-based espionage networks, which provide:

• global distribution

• low detection rates

• reduced reliance on traditional command servers

• resilience and anonymity

Mitigation and Recommendations

All exploited vulnerabilities have patches available, but many affected routers are already out of support.

Users should:

• immediately update firmware if patches exist

• replace discontinued devices with supported models

• disable AiCloud or restrict external access

• monitor for unauthorized TLS certificates

Operation WrtHug demonstrates how outdated consumer hardware can become a key enabler of nation-state espionage — and why securing edge devices remains critical for global cyber resilience.