Over 9,000 ASUS Routers Compromised in AyySSHush Botnet Campaign
A newly discovered botnet campaign known as "AyySSHush" has compromised over 9,000 ASUS routers, according to cybersecurity firm GreyNoise. The operation, which began in mid-March 2025, appears to bear the hallmarks of a nation-state threat actor, although no specific attribution has been made at this time.
The attackers targeted several ASUS router models, including the RT-AC3100, RT-AC3200, and RT-AX55, by exploiting an older command injection vulnerability tracked as CVE-2023-39780. This vulnerability allowed threat actors to inject their own SSH public key and enable the SSH daemon to listen on a non-standard TCP port, 53282. By using official ASUS configuration features, the changes persist even after firmware upgrades or system reboots, enabling long-term unauthorized access.
GreyNoise reports that the attack does not involve the use of malware. Instead, it relies on stealthy techniques such as disabling system logging and turning off Trend Micro’s AiProtection feature. These tactics help the attackers avoid detection while maintaining control of the compromised devices. Despite the scale of the compromise, only a small number of malicious requests were logged, indicating the highly targeted and discreet nature of the campaign.
There are indications that this campaign overlaps with an operation previously identified by French cybersecurity firm Sekoia under the name "Vicious Trap." In that case, attackers exploited CVE-2021-32030 to breach similar router models and deployed scripts to redirect traffic to attacker-controlled systems. The targeted devices included SOHO routers, SSL VPNs, DVRs, and BMC controllers from vendors such as D-Link, Linksys, QNAP, and Araknis Networks.
The specific objectives behind the AyySSHush campaign remain unclear, as there is no evidence of distributed denial of service (DDoS) activity or use of the compromised routers as proxy nodes. However, the establishment of persistent access and traffic redirection suggest that attackers may be quietly building a botnet infrastructure for future use.
ASUS has released firmware updates to address CVE-2023-39780 for affected devices. Users are strongly advised to apply these updates immediately and manually inspect their systems for signs of compromise. Key indicators include the presence of unfamiliar SSH keys in the 'authorized_keys' file and unauthorized network traffic on port 53282. GreyNoise has also published a list of four IP addresses associated with the threat, which should be added to security blocklists.
In cases where compromise is suspected, a full factory reset is recommended to remove unauthorized configurations. After resetting, users should reconfigure their devices with strong, unique credentials and ensure all security features are re-enabled.
This campaign highlights the importance of timely firmware updates and proactive monitoring of network devices. Organizations and individuals relying on SOHO routers are encouraged to remain vigilant and adopt best practices to mitigate the risk of compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
