Close
Blog, STRIKE December 10, 2025

Operation WrtHug Exposed: The Router Hack You Need to Know

Table of Contents:

    Why Router Hacking Is Not Just a Patching Issue

    Your home router can become someone else’s covert infrastructure without you ever noticing. SecurityScorecard’s Field Chief Threat Intelligence Officer Ryan Sherstobitoff, Security Researcher Gilad Maizles, and Signals Collection Engineer Marty Kareem joined SecurityScorecard’s Senior Content Writer Shannon Vavra to discuss Operation WrtHug, a suspected China-nexus campaign compromising ASUS routers worldwide.

    The campaign, which the STRIKE Threat Intelligence team exposed in its November report, used multiple known (Nth day) vulnerabilities to infiltrate thousands of ASUS WRT devices, many of which are End-of-Life (EoL) and unpatched.

    The panel walked through how they identified the network of tens of thousands of compromised devices, how these compromised routers act as Operational Relay Boxes (ORBs), forming a stealthy global network for cyber-espionage, and how to defend against it.

    Sherstobitoff emphasized the high stakes: “This is a stark reminder that we are in a constant global cyber war. It’s not always about kinetic warfare, it’s also about espionage and intelligence.”

    :speaker: Listen to audio of the webinar here.

    :movie_camera: Watch the full webinar here.

    How STRIKE Found Operation WrtHug

    Maizles explained that STRIKE often looks for early “canaries” in router campaigns, especially certificate anomalies. In this case, a single clue stood out as the smoking gun. Thousands of routers in different countries presented the exact same, highly suspicious self-signed TLS certificate.

    That should never happen with consumer devices: Shared certificates mean that outsiders can decrypt your traffic.

    That detail by itself was enough to warrant further investigation. Then came the detail that cemented suspicions. The TLS certificate had an expiration date of 100 years, which indicated something was afoot, since legitimate certificates almost never look like that.

    The certificate shows how brazen the actors can be because any organization with even the most basic security measures will get so many red flags just from this,” Maizles said. “Especially if it’s self-signed, seems to come out of nowhere, and includes an expiration date like this.”

    Once STRIKE fingerprinted and validated the pattern, the certificate became the anchor indicator of compromise (IOCs) that the team used to map the operation worldwide.

    Why Router-Based Espionage Is a Growing Threat

    The STRIKE report shows WrtHug targeting ASUS WRT routers almost exclusively, with most infections on EOL models. The campaign compromises devices through Nth day flaws, especially in AiCloud, ASUS’s remote access feature.

    Kareem underscored why routers are perfect material for espionage infrastructure operations like ORBs: They are always on, globally distributed, and often outdated. Kareem called the outcome a “perfect recipe” for attackers because they offer:

    • Anonymity by relaying traffic
    • Persistence because EoL devices are often unmonitored 
    • Global reach from thousands of quietly owned nodes

    STRIKE identified at least six exploited vulnerabilities, including those tied to the command injection vulnerability CVE‑2023‑39780.

    These issues are all patched now, but threat actors still use them against outdated or EoL routers.

    How Likely China-Nexus Actors Scale Router Espionage

    Operation WrtHug makes clear that defenders are not just facing malware or patch management issues. They’re contending with adversaries building infrastructure using unmonitored devices for their long-term goals.

    As Maizles explained, “this is an adversary issue.” These actors don’t need cutting-edge exploits. They just need defenders to overlook what’s already exposed and what threat actors are doing.

    “This is not a vulnerability issue. This is not a malware issue. This is an adversary issue.” — Gilad Maizles

    “This is you being targeted by someone with intent. And as we’ve seen in this operation, the TTPs can change, vulnerabilities can shift, and we’ve seen in other operations where malware can adapt over time. But it is the same actor with the same intent,” Maizles said.

    The threat actor behind WrtHug didn’t rely on zero-days. Instead, they chained together Nth-day vulnerabilities, publicly known, already patched flaws. Espionage operations thrive when routers are ignored and when teams are not ingesting threat intelligence to stay ahead of threat actors’ intent.

    The team emphasized that this is part of a larger pattern. STRIKE has tracked multiple router-based intrusion campaigns in the past year. Maizles cited earlier research exposing LapDogs, another China-linked ORB campaign targeting routers using similar techniques. GreyNoise’s report, called “AyySSHush,” revealed another ORB operation.

    WrtHug shares tactical DNA with both campaigns, but, crucially, they share very few infected nodes, which the STRIKE researchers said suggests either collaboration or parallel efforts by multiple actors.

    What Security Teams and Router Owners Should Do Now

    The panel closed with concrete defense guidance. Maizles urged ASUS owners to follow ASUS’s advisory and, if possible, patch or retire EoL devices. He said the simplest immediate win is disabling AiCloud or any service not in use. If users suspect compromise, they should check for the WrtHug certificate listed in STRIKE’s report.

    Sherstobitoff advised small enterprises to inspect logs for persistent connections that do not make sense. Kareem recommended validating remote workers’ home network health, and shared another valid defense step is to replace EoL hardware, even if it may introduce additional expense.

    STRIKE’s collaboration with ASUS was instrumental in validating vulnerabilities and developing mitigations. ASUS has released a full advisory and FAQ to help customers secure their devices.

    “We knew that they are the specialists when it comes to their own devices, and so if we try to put this out, let them read it as anyone else does, and leave them with the headache. But that’s not helping them. But even worse than that, that’s not helping the world. That’s not helping the owners of those routers,” Maizles said. “That’s our DNA: We collaborate. We want to work with and not against or compete.”

    Watch the full webinar here.

    Contact STRIKE

    The growing trend of threat actors building ORBs reflects a shift toward establishing persistent, scalable infrastructure for cyber-espionage, rather than one-off campaigns. Threat actors are building platforms designed to persist, evolve, and remain hidden.

    This campaign highlights the urgent need for defenders to look beyond patching active systems. Securing the modern network requires visibility into threat actors’ evolving TTPs, and into legacy hardware, cloud-exposed services, and consumer-grade infrastructure that may quietly become part of a global espionage operation.

    SecurityScorecard’s STRIKE Team has access to one of the world’s largest databases of cybersecurity signals, dedicated to identifying threats that evade conventional defenses. With proactive risk management and a rapid response approach, SecurityScorecard offers companies protection against third-party risks and the ability to counter active threats like those in the telecommunications sector.

    Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security. 

    For STRIKE media inquiries, contact us here.