A chilling new threat has emerged, with a China-linked operation named "WrtHug" compromising thousands of ASUS WRT routers worldwide. SecurityScorecard has sounded the alarm, warning of a sophisticated espionage network being built.
The STRIKE team's report reveals a disturbing trend: Operation WrtHug exploits six critical vulnerabilities, primarily legacy ones, to gain control over end-of-life SOHO devices. These flaws, identified as CVE-2023-41345 to CVE-2025-2492, exploit ASUS AiCloud services and OS injection vulnerabilities, allowing the attackers to maintain persistence.
But here's where it gets controversial: most of the infected devices share a self-signed TLS certificate with an expiration date of a century! This certificate was a red flag for the STRIKE team, who discovered this global infrastructure campaign while investigating its proliferation across thousands of devices with specific geographic targets.
The report notes that while Operation WrtHug is not explicitly an ORB (operational relay box), it bears a striking resemblance to other Chinese ORB and botnet operations. This has led to speculation about China's involvement.
And this is the part most people miss: a previous China-linked operation, "AyySSHush," also targeted ASUS routers, exploiting CVE-2023-39780. SecurityScorecard suggests that the threat actors behind both campaigns could be the same or at least collaborating.
With up to 50% of victims in Operation WrtHug located in Taiwan, and seven IPs showing signs of compromise in both campaigns, the evidence points towards Chinese adversaries. The report concludes with a low-to-moderate confidence assessment that Operation WrtHug is an ORB facilitation campaign by an unknown China-affiliated actor.
This incident highlights the importance of regular updates, vigilance against outdated services, and proactive monitoring to counter state-sponsored intrusion campaigns. SecurityScorecard's Gilad Maizles emphasizes the growing strategic interest of nation-state groups in using consumer infrastructure as staging points for attacks.
Operation WrtHug serves as a stark reminder of how nation-state actors are embedding themselves in consumer infrastructure to create stealthy, global espionage networks.
What are your thoughts on this alarming trend? Do you think nation-states should be held accountable for such actions? Feel free to share your opinions in the comments!
