Home routers hijacked for suspected Chinese spy campaign

Published: 21 November 2025
Getty images

A newly uncovered cyber-espionage campaign has hijacked more than 50,000 ASUS home routers turning everyday internet devices into components of a covert network.

The operation, codenamed Operation WrtHug, was uncovered by SecurityScorecard’s STRIKE team in cooperation with ASUS.

According to the report shared with Cybernews, the campaign appears to have been active for at least six months and primarily targets older and end-of-life (EoL) ASUS WRT routers – devices that no longer receive security updates.

ADVERTISEMENT

The following is a list of detected models of ASUS routers targeted in the campaign:

• ASUS Wireless Router 4G-AC55U

• ASUS Wireless Router 4G-AC860U

• ASUS Wireless Router DSL-AC68U

• ASUS Wireless Router GT-AC5300

• ASUS Wireless Router GT-AX11000

• ASUS Wireless Router RT-AC1200HP

• ASUS Wireless Router RT-AC1300GPLUS

ADVERTISEMENT

• ASUS Wireless Router RT-AC1300UHP

Researchers at the cybersecurity ratings platform reported that the attackers exploited a collection of long-known vulnerabilities (Nth-day vulnerabilities) rather than undisclosed zero-days.

These flaws remain unpatched on many older routers, making them an easy entry point for attackers.

The vulnerabilities were used to deploy a technique that involves tricking a device into running unauthorized system-level commands (OS command injection) on ASUS devices.

Other vulnerabilities enabled remote code execution or allowed attackers to bypass authentication mechanisms entirely.

The report stated that the attackers specifically targeted ASUS’s AiCloud service – a remote-access feature that allows users to connect to their home network or files over the internet – as the initial access vector.

Once inside the router, the attackers installed tools that recruited the device into a global mesh of compromised systems.

SecurityScorecard’s STRIKE team claims to have identified over 50,000 unique IP addresses belonging to these compromised devices over the last six months.

Chinese state actors suspected

ADVERTISEMENT

Researchers claim that this spy network functions like an Operational Relay Box (ORB) – a distributed network of consumer devices used to relay traffic, hide the origin of espionage operations, and maintain long-term persistence.

According to SecurityScorecard, ORB-style activity is widely associated with Chinese state-backed cyber operators because it allows them to operate quietly and at scale.

China-cyber-attack-taiwan
Almost half of all infected devices were found to be located in Taiwan

“This campaign appears to be a part of a growing set of campaigns from China-linked hackers looking to quietly develop a massive network of infected devices they can use to establish a persistent presence and remain hidden,” the company concluded.

SecurityScorecard added that one of the most distinctive technical markers was a shared self-signed TLS certificate found across infected routers – the certificate came with “a highly unusual” 100-year expiration period, making it easier for analysts to trace the operation across continents.

Regions affected

The report said that the geographic distribution of compromised routers was “telling:” an estimated 30-50% of infected devices were found to be located in Taiwan, with additional clusters in the US, Russia, Southeast Asia, and Europe.

Researchers noted that this aligned with China-linked cyber-espionage, as did the widespread use of OS command injection vulnerabilities against ASUS devices.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

“This also ties to another suspected China-Nexus ORB operation called AyySSHush,” it said.

ADVERTISEMENT

“The fact that these two campaigns target the same vulnerability on the same types of devices, coupled with the fact that there is a very low number of dual-compromised nodes, leads the research team to speculate about potential coordination between the campaigns.”

The findings highlight the growing risks posed by outdated hardware that remains connected to home or corporate networks.

ASUS has issued advisories addressing all vulnerabilities linked to WrtHug, along with mitigation steps to take for affected device owners.

State-aligned hacking groups are increasingly turning toward consumer-grade devices – specifically, older unsupported ones – as covert infrastructure for long-term espionage operations.

Unlock more exclusive Cybernews content on YouTube

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked