Operation “WrtHug”: China-Linked Hackers Seize Control of Thousands of ASUS Routers in Global Espionage Campaign

A major cyber-espionage campaign called Operation “WrtHug” has been uncovered, targeting thousands of ASUS home and small-office routers. Security researchers say the operation is linked to China-based threat actors. The attackers quietly took control of these routers without alerting owners, and experts warn that this campaign is both global and highly sophisticated.

The attackers mainly focused on ASUS WRT-series routers, especially those directly exposed to the internet. Many of these devices were outdated or had unpatched security issues. Once compromised, the routers were turned into hidden relay points for the attackers, allowing them to pass traffic secretly and maintain long-term access inside networks.

The scale of the attack is significant, with thousands of devices confirmed hijacked. A large portion of the infected routers were found in Taiwan, while others were detected in Southeast Asia, Europe, the United States and Russia. Interestingly, none of the compromised routers were observed in mainland China, which aligns with the suspected origin of the threat actors.

Researchers noticed that many targeted routers were older or end-of-life models that no longer receive security updates. These devices often contain known vulnerabilities that make them easy to exploit. This allowed attackers to gain persistence on the routers with very little resistance, turning them into long-term assets for their operations.

One of the main weaknesses abused in this campaign was a command-injection flaw known as CVE-2023-39780. Attackers also used authentication bypass techniques to enter routers without valid passwords. After gaining access, they enabled SSH on unusual ports, added their own secret keys and disabled logging to hide their tracks, leaving almost no visible signs of intrusion.

What makes Operation WrtHug particularly dangerous is the stealth involved. The attackers avoided installing noisy malware and instead relied on built-in router features and memory-based backdoors that can survive reboots. Because of this, many users may never realize that their router has been compromised, even though it is being controlled remotely.

Experts believe the motive behind this campaign is long-term espionage rather than financial gain. By assembling a global network of hijacked routers, the attackers gain powerful covert infrastructure for spying. These compromised devices can relay traffic, hide malicious activity and support future cyber operations while remaining almost invisible.

Security teams worldwide urge ASUS router owners to act quickly. Users should update firmware to the latest version, change admin passwords and disable remote access if not needed. If there are signs of unusual behavior, performing a factory reset after updating is strongly advised. Since the campaign is active and spreading, securing devices immediately is essential for protection.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news