Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router

Your home router, the device that connects you to the internet, may have been turned into a tool for a global espionage campaign. A new report, “Operation WrtHug,” has uncovered a massive, coordinated effort that has compromised thousands of ASUS routers worldwide. This is a meticulously planned operation that should be a serious alert for everyone, from home users to security professionals.

SecurityScorecard’s STRIKE team consulted with ASUS to produce this report and is grateful for their willingness to provide their product security expertise for the research.

The importance of this report is twofold: It identifies a major, ongoing threat, and it reveals another disturbing trend in state-sponsored cyber-espionage.

For a full technical analysis, read the STRIKE team’s report on Operation WrtHug.

What Is Operation WrtHug?

WrtHug is a widespread operation that appears to exclusively target ASUS WRT routers. The attackers exploit “Nth day vulnerabilities,” which are security flaws that have been publicly known for some time, to gain high-level privileges on the devices. The campaign mainly affects End-of-Life (EoL) devices.

One key attack vector the threat actors used is a collection of OS command injection vulnerabilities on ASUS devices (CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348). These are collectively associated with CVE-2023-39780, which is rated 8.8 on the CVSS severity scale.

The attackers also used vulnerabilities CVE-2024-12912 (an arbitrary command execution vulnerability with a 7.2 CVSS score) and CVE-2025-2492 (an improper authentication control vulnerability with a 9.2 CVSS score). They specifically targeted AiCloud service on ASUS devices as the initial access vector.

In all, we know the threat actor leveraged at least six vulnerabilities for initial access in this campaign.

Once the hackers compromise a device, it becomes part of a global network of infected routers. SecurityScorecard’s STRIKE team identified over 50,000 unique IP addresses belonging to these compromised devices over the last six months.

What makes these infected routers stand out is a shared, self-signed TLS certificate with an unusually long 100-year expiration period. This unique digital fingerprint serves as a key indicator of compromise, allowing researchers to track the campaign.

Why This Matters

This campaign is a prime example of a sophisticated, evolving threat. SecurityScorecard’s STRIKE team assesses with low-to-moderate confidence that Operation WrtHug is an Operational Relay Box (ORB) facilitation campaign carried out by an unknown China-affiliated actor. ORB campaigns are intrusion operations carried out by state-sponsored actors to expand and deepen global espionage operations.

This campaign appears to be a part of a growing set of campaigns from China-linked hackers looking to quietly develop a massive network of infected devices they can use to establish persistent presence and remain hidden.

The geographical distribution of the affected devices is telling. Between 30-50% of the compromised devices are located in Taiwan, with other clusters in the U.S., Russia, Southeast Asia, and Europe. This localized targeting and the methods used mirror previous campaigns STRIKE has observed.

The use of OS command injection vulnerabilities against ASUS devices on a wide scale, such as CVE-2023-39780, is also tied to another suspected China-Nexus ORB operation called “AyySSHush.” The fact that these two campaigns target the same vulnerability on the same types of devices, coupled with the fact that  there is a very low number of dual-compromised nodes, leads the research team to speculate about potential coordination between the campaigns.

The report emphasizes that these campaigns are moving beyond simple brute-force attacks to multi-stage infections that exploit a variety of vulnerabilities. The attackers seem to mainly target AiCloud, a proprietary ASUS service designed to provide remote access to home networks or storage, much like a “personal cloud” service. In some cases, signs of infection appeared on other services on compromised devices, such as the management panel, serving as an indication of a deeper compromise of the devices themselves.

What Security Professionals Can Learn

This report is a clear case study on evolving attacker methods. Using a  service that harbors Nth Day vulnerabilities as an attack vector highlights the risks associated with EoL devices and legacy software. Tracking the unique TLS certificate in this case can serve security teams looking to protect against this operation.

The report’s findings underscore the critical need for constant vigilance and proactive monitoring. It is not enough to simply apply patches to active products. Security teams must consider the security of the entire network, including aging devices and services, in order to counter sophisticated, state-sponsored intrusion campaigns.

Read the full report on Operation WrtHug to understand the full scope of this campaign and the attackers’ methods.

The ASUS security team has addressed all aforementioned vulnerabilities used in Operation WrtHug in their security advisory, including steps of mitigation in case your device has been compromised.

For more resources, please view the ASUS product security advisory here or learn how to make your devices more secure with their FAQ.

This research was made possible thanks to our colleagues at ASUS, who were willing to consult us in this research project and improve the online safety of ASUS device owners and others.

SecurityScorecard’s STRIKE team is an elite squad of cybersecurity experts who have spent decades as intelligence analysts, threat hunters, and military cyber operators. The team processes more than 12 billion daily security signals, transforming data into actionable insights for security operations centers.

STRIKE’s intelligence is created by the team itself, not purchased from others, allowing them to deliver real-time information that lets teams “strike first” against threats. By analyzing global telemetry, SSL/TLS logs, and dark web activity, STRIKE creates unique, proprietary, accurate, and timely threat intelligence that helps organizations defend against active and emerging threats. This intelligence fuels security operations and helps inform network defense and risk management strategy for organizations of all sizes.