Cybersecurity researchers at GreyNoise have uncovered a sophisticated botnet campaign dubbed AyySSHush that has successfully compromised more than 9,000 ASUS routers. The attack, first detected in March 2025, has expanded its reach to target SOHO routers from other manufacturers including Cisco, D-Link, and Linksys, marking a significant escalation in router-focused cyber threats.
Technical Analysis of the AyySSHush Attack Vector
The threat actors behind AyySSHush employ a multi-layered attack strategy that combines credential brute-forcing, authentication bypass techniques, and vulnerability exploitation. The primary attack vector targeting ASUS devices (specifically models RT-AC3100, RT-AC3200, and RT-AX55) leverages CVE-2023-39780, a critical command injection vulnerability that enables unauthorized system access.
Advanced Persistence and Stealth Mechanisms
The sophistication of AyySSHush is evident in its persistence mechanisms. The attackers implement a custom SSH key and establish a listener on the non-standard TCP port 53282. Most notably, these configuration changes persist even after firmware updates, making backdoor removal particularly challenging for system administrators.
Sophisticated Evasion Techniques
The botnet demonstrates advanced stealth capabilities by avoiding traditional malware deployment methods. The attackers systematically disable system logging functions and deactivate Trend Micro’s AiProtection features, significantly reducing the likelihood of detection through conventional security monitoring.
Threat Intelligence and Campaign Analysis
Security researchers have identified potential connections between AyySSHush and the previously documented Vicious Trap campaign, which also targeted ASUS router vulnerabilities. Intelligence suggests that the attackers are building an extensive network of compromised devices, potentially for reconnaissance and zero-day vulnerability discovery.
Comprehensive Security Mitigation Strategy
To protect against AyySSHush infections, security experts recommend implementing the following protective measures:
– Immediate firmware updates to patch CVE-2023-39780
– Regular audits of SSH authorized_keys files for unauthorized entries
– Implementation of network blocks for known malicious IPs: 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, 111.90.146[.]237
– Complete device factory reset and secure reconfiguration if compromise is suspected
The unprecedented scale and sophistication of the AyySSHush campaign underscores the critical importance of router security in modern network defense strategies. While ASUS has released security patches addressing CVE-2023-39780, availability varies by model. Network administrators and home users are strongly advised to implement security updates promptly and maintain vigilant monitoring of their network infrastructure. The evolving nature of this threat suggests that additional protective measures may be necessary as new attack vectors are discovered.
