SecurityScorecard researchers have disclosed a large-scale malware operation dubbed WrtHug, targeting consumer and SOHO Asus routers. The campaign has already compromised an estimated 50,000 devices, primarily older AC and AX series models that are no longer regularly updated. This incident highlights how poorly maintained home networking equipment has become a strategic asset for cybercriminals and advanced threat actors.
Scale of the WrtHug malware attack on Asus home routers
According to SecurityScorecard’s telemetry, the highest concentration of infected Asus routers is observed in Taiwan, with additional clusters across South-East Asia, Russia, Central Europe, and the United States. These regions collectively represent tens of thousands of exposed home and small-office devices connected directly to the public internet.
Researchers note a conspicuous absence of detected infections in China, despite the strong market penetration of Asus networking products there. This geographic anomaly is considered a potential indicator of a China-linked threat actor, following a pattern seen in other campaigns where operators avoid targeting domestic infrastructure. However, the available data is insufficient for definitive attribution, and any claims about the origin of WrtHug’s operators remain speculative.
How the WrtHug malware compromises Asus routers
Abuse of Asus firmware vulnerabilities and outdated devices
The WrtHug campaign relies on a set of known vulnerabilities in Asus router firmware, including command injection flaws and other previously disclosed security issues. Command injection allows an attacker to trick the device into executing arbitrary system commands by embedding them in crafted requests, gaining remote code execution without valid credentials.
The primary victims are routers running outdated, unpatched firmware. Many consumer and SOHO environments deploy networking hardware and then never apply security updates, leaving known vulnerabilities exploitable for years. This pattern has been repeatedly observed in other IoT and router-focused campaigns, from Mirai-style botnets to targeted espionage operations.
SecurityScorecard highlights a particularly critical flaw in Asus’s remote access component, publicly warned about by the vendor in April of this year. When AiCloud is enabled, this issue can allow an attacker to execute commands on the router remotely and without authentication via a specially crafted HTTP request.
AiCloud remote access as the primary attack vector
The core entry point for WrtHug appears to be the Asus AiCloud feature. AiCloud turns an Asus router into a personal cloud server, enabling remote access to files and local network resources over the internet. If AiCloud is exposed externally and running with a vulnerable configuration, it effectively becomes a public attack surface for the device.
Once a vulnerable AiCloud instance is identified, attackers exploit the flaw to gain initial foothold on the router. From there, they deploy their malicious tooling, modify configuration elements, and integrate the device into their operational infrastructure—without necessarily modifying the firmware image itself.
Key indicator of compromise: AiCloud TLS certificate valid for 100 years
A distinctive technical marker of WrtHug infection is an abnormal TLS certificate associated with the AiCloud service. On most compromised routers, the attackers replace the default certificate with a self-signed certificate that has an unusually long validity period of 100 years, instead of the more typical 1–10 years.
By scanning for this anomalous certificate pattern, SecurityScorecard identified approximately 50,000 unique IP addresses corresponding to infected Asus routers. Many of these are older, yet still widely deployed, AC and AX models that frequently operate outside standard corporate asset management and patching processes.
Similar to the previously reported AyySSHush campaign, WrtHug’s operators do not patch the exploited vulnerabilities or lock down access to prevent other attackers. As a result, compromised routers remain exposed to additional intrusions and potential “takeover” by competing criminal groups or state actors.
Purpose of WrtHug: relay infrastructure, not classic DDoS botnet
Current analysis suggests that the WrtHug malware is not primarily designed for DDoS attacks. Instead, the compromised Asus routers function as a distributed network of relay or proxy nodes (often referred to as “operational relay boxes”).
This architecture enables threat actors to:
— Proxy their traffic through hijacked home and office networks;
— Obscure their true location and make investigations more complex;
— Hide command-and-control (C2) infrastructure behind multiple layers of compromised routers.
Such relay networks are a well-documented tactic in long-term cyber espionage and covert operations, where stealth and persistence are more important than raw bandwidth. While public reporting has not yet tied WrtHug to specific campaigns, its design makes it a plausible tool for long-duration, low-noise operations against both individuals and organizations.
How to secure Asus routers against WrtHug and similar malware
Asus has released firmware updates addressing the vulnerabilities exploited in the WrtHug campaign. Owners of home and SOHO Asus routers should take the following steps without delay:
— Update firmware to the latest version through the official administration interface;
— Disable AiCloud and remote administration if they are not strictly required, or limit them to VPN-only access;
— Replace default admin passwords with unique, strong credentials and store them in a password manager;
— Review HTTPS/TLS settings on the router and look for unusual self-signed certificates or certificates with excessively long validity (e.g., 100 years).
If a router model is end-of-life and no longer supported with security patches, the safest option is to replace it with a currently supported device. At minimum, unsupported routers should not expose remote administration interfaces or cloud-access features directly to the internet.
Separately, Asus has also patched a new critical authentication bypass vulnerability CVE-2025-59367, affecting models DSL-AC51, DSL-N16, and DSL-AC750. While there is no public evidence yet of active exploitation, historical patterns suggest that such flaws are often rapidly integrated into attack toolchains targeting routers and other edge devices.
The WrtHug campaign underscores that home and small-office routers are now part of the mainstream attack surface, on par with corporate servers and cloud workloads. Regular firmware updates, disabling unnecessary remote services, and maintaining strong credentials are no longer optional best practices but essential defenses. Treating the router as critical infrastructure—rather than a “set-and-forget” box—significantly reduces the chance that a household or small business network becomes an invisible relay in someone else’s cyber operations.
