Asus routers across the globe hit by suspected Chinese cyberattack - here's what we know

News
By published

State-sponsored actors are creating a large operational relay network

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • Thousands of expired ASUS routers hijacked into “Operation WrtHug” cyber-espionage botnet
  • Chinese state-sponsored actors exploit multiple n-day flaws, using 100-year TLS certificates
  • Compromised routers form relay network, mostly in Taiwan and Southeast Asia

Thousands of expired ASUS routers are being hijacked and assimilated into a botnet being used as infrastructure for cyber-espionage operations, experts have warned.

Security researchers SecurityScorecard, together with Asus, discovered and reported the malicious campaign, claiming a group of Chinese state-sponsored threat actors have been leveraging multiple vulnerabilities in a number of ASUS routers to deploy a unique, self-signed certificate.

The vulnerabilities being abused include CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492. These are all n-day flaws, meaning they’ve been around for relatively long. However, since the targeted endpoints reached their end-of-life, most never received the update, or simply weren’t patched by their users.

Chinese activity

Here is the list of the models being assimilated into the botnet:

4G-AC55U
4G-AC860U
DSL-AC68U
GT-AC5300
GT-AX11000
RT-AC1200HP
RT-AC1300GPLUS
RT-AC1300UHP

The number of hijacked routers is being counted “in the thousands”, as per the report. All of them share a unique, self-signed TLS certificate, with a 100-year expiration date.

“This unusually long-lived certificate is a critical indicator of compromise and points to a level of coordination that reflects careful and calculated espionage,” the researchers said.

The infected routers become part of a large operational relay network, similar to other China-linked Operational Relay Box (ORB) campaigns.

The routers become nodes that let the actors route their own espionage traffic through innocent people’s routers, hide their real origin when conducting intrusions, build resilient, globally distributed C2 infrastructure and, ultimately, stage attacks against high-value geopolitical targets.

The vast majority of the compromised routers are located in Taiwan and Southeast Asia, which perfectly aligns with Chinese national interests. No compromised routers were found in mainland China, it was said.

The campaign is dubbed “Operation WrtHug”, since the devices are running firmware called AsusWRT.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.