A new botnet is compromising modern Asus WiFi 6 routers and leaving backdoors that allow attackers to remotely control them even after firmware updates. Researchers warn that 9,000 Asus routers are already infected.
GreyNoise, a real-time cybersecurity platform, has warned about a novel botnet dubbed AyySSHush, which successfully exploits vulnerabilities in Asus routers.
During the ongoing exploitation campaign, attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet.
The campaign underscores the dangers of leaving remote access enabled on routers – hackers can take control without users even realizing it.
“As of May 27th, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys – a platform that continuously maps and monitors internet-facing assets across the global internet,” the report warns.
“The number of affected hosts is growing.”
Hackers gain access to routers by using brute-force login attempts, older authentication bypass vulnerabilities, and other techniques. Once authenticated, they exploit a known command injection vulnerability (CVE-2023-39780) affecting specifically Asus RT-AX55 devices to execute system commands.
No malware is needed – attackers use legitimate Asus features to enable SSH (Secure Shell) on a custom port (TCP/53282) and insert their own public key for exclusive remote access. They also disable logging to evade detection. However, open ports are picked up by the internet scanners.
Asus has patched the flaw (CVE-2023-39780) in a recent firmware update. However, this will not stop attackers from SSHing (remotely connecting) to already compromised routers.
“If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed,“ the report reads.
How does the backdoor survive firmware reinstalls?
GreyNoise explains that the backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots. This configuration allows hackers to remotely connect to the router once again after a reboot or firmware installation.
“The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features,” the report reads.
Laying the groundwork for a future botnet
GreyNoise assesses in a report that the threat actor, potentially building a future botnet, wanted to maintain stealthy initial access and avoid detection.
“The level of tradecraft suggests a well-resourced and highly capable adversary,” the report reads.
“The techniques used reflect long-term access planning and a high level of system knowledge.”
It’s likely that the threat actor is building a botnet for future malicious activities, such as proxying cyber attacks, launching distributed denial of service attacks (DDoS), or others.
The suspicious traffic was first observed on March 17th, 2025. This activity overlaps with “ViciousTrap,” a sophisticated threat actor unveiled by Sekoia, another security company, on May 22nd, 2025. ViciousTrap targets various routers and other edge devices, including the Asus routers.
GreyNoise says that the Asus campaign is operating very stealthily – its sensors “saw just 30 related requests across three months.”
Researchers could not attribute the malicious activity to any specific threat actor. However, Sekoia couldn’t find a single ViciousTrap-compromised asset in China, while numerous backdoored devices were found in Taiwan and the US, suggesting the involvement of a China-linked actor.
To protect your Asus router, researchers from GreyNoise recommend updating its firmware, checking for SSH access on TCP/53282, reviewing the authorized_keys file for unauthorized entries, and blocking the IPs of exploitation servers.
“If compromise is suspected, perform a full factory reset and reconfigure manually.”
If you don’t need remote management features, it’s always better to keep them disabled.
Your email address will not be published. Required fields are markedmarked