Netcrook Logo
👤 AUDITWOLF
🗓️ 21 Nov 2025   🌍 Asia

China’s Silent Web Army: Inside the Massive Hijacking of Asus Routers

A sprawling cyber-espionage campaign has quietly turned tens of thousands of home routers into an invisible global spy network.

Fast Facts

  • Over 50,000 Asus routers worldwide have been hijacked in a campaign dubbed Operation WrtHug.
  • Attackers exploited multiple old and unpatched vulnerabilities, mostly in discontinued router models.
  • The majority of infected devices are located in Taiwan, with significant clusters in the US, Russia, Southeast Asia, and Europe.
  • Security experts link the campaign to Chinese state-sponsored hackers engaged in global espionage operations.
  • All exploited vulnerabilities have now been patched, but many affected devices remain unsupported and unprotected.

How a Home Router Becomes a Secret Agent

Imagine your humble home router - a device meant to quietly shuttle your family’s internet traffic - suddenly recruited into a shadowy web of espionage. That’s precisely what happened to over 50,000 Asus routers worldwide, according to a new investigation by SecurityScorecard. In a campaign dubbed Operation WrtHug, a suspected Chinese state-backed group quietly seized control of these devices, weaving them into a hidden network serving the interests of global intelligence gathering.

The Anatomy of Operation WrtHug

The attackers took advantage of a series of known vulnerabilities in Asus routers’ AiCloud feature, which lets users access files remotely. These vulnerabilities - catalogued as CVE-2023-41345 through CVE-2025-2492 - are like doors left unlocked by weak locks, allowing hackers to slip in commands and take over the device. Once inside, the attackers installed a digital certificate with a century-long lifespan, marking each compromised router as a node in their growing web.

The bulk of the hijacked routers are older, discontinued models, making them especially vulnerable since they no longer receive security updates. Many users, unaware of the risks, continue to rely on these aging devices, unwittingly turning their homes and offices into outposts for foreign intelligence.

A Pattern of Global Espionage

This isn’t the first time Chinese-linked hackers have targeted consumer routers. Earlier this year, the AyySSHush campaign infiltrated similar Asus devices, creating a covert relay network for spying and cyberattacks. Researchers believe the two campaigns may be connected - or even evolving facets of a single, persistent threat actor.

The strategy is clever: by commandeering thousands of everyday routers scattered around the globe, attackers build a resilient, distributed infrastructure that is hard to detect and even harder to dismantle. These “botnets” can be used to mask the origins of attacks, exfiltrate stolen data, or quietly monitor targeted networks.

The geopolitical stakes are high. Taiwan, home to the largest cluster of compromised routers, sits at the center of escalating cyber tensions between China and the West. Meanwhile, the campaign’s reach into the US, Russia, and Europe highlights how vulnerable everyday infrastructure has become to state-level cyber operations.

What Can Users Do?

Security experts urge anyone using an Asus router - especially older models - to update their firmware or replace unsupported devices. Patches are available for all known vulnerabilities, but unmaintained hardware remains a ticking time bomb. As the line between personal technology and global conflict blurs, the humble router is now a frontline target in the world’s cyber shadow war.

Operation WrtHug is a stark reminder that our everyday devices are now pawns in a much larger game, where invisible hands can turn household tools into instruments of international intrigue. In a world where the next big breach could begin in your living room, vigilance is no longer optional - it’s essential.

WIKICROOK

  • Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
  • Vulnerability: A vulnerability is a weakness in software or systems that attackers can exploit to gain unauthorized access, steal data, or cause harm.
  • Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
  • Indicator of Compromise (IoC): An Indicator of Compromise (IOC) is a clue, like a suspicious file or IP address, that signals a system may have been hacked.
  • Firmware: Firmware is specialized software stored in hardware devices, managing their core operations and security, and enabling them to function properly.
China Cyber Espionage Asus Routers
AUDITWOLF AUDITWOLF
Cyber Audit Commander
← Back to news