Operation WrtHug: How Legacy ASUS Routers Became a Global Botnet in 2024
Executive Summary
In early 2024, thousands of end-of-life ASUS WRT routers worldwide were compromised in a large-scale campaign dubbed "Operation WrtHug". Attackers exploited at least six known vulnerabilities in outdated router firmware to hijack control of the devices. These compromised routers were assimilated into a new botnet infrastructure, enabling malicious actors to facilitate unauthorized traffic routing, launch further attacks, and potentially intercept sensitive data passing through these compromised endpoints. The incident points to neglected device lifecycle management and widespread exposure due to unpatched, unsupported consumer hardware.
This breach is particularly notable as it reflects a growing trend: attackers shifting focus to vulnerable, unmaintained IoT and networking hardware. With legacy devices lacking security updates, organizations face heightened risk of compromise and regulatory scrutiny, while defenders must urgently address asset visibility and enforcement across distributed infrastructure.
Why This Matters Now
The surge in attacks targeting unsupported network hardware illustrates an urgent risk for organizations that fail to retire or secure legacy devices. Rapid expansion of IoT and remote work infrastructures creates a broad attack surface, making prompt asset discovery, segmentation, and lifecycle management essential to avoid exploitation.
Attack Path Analysis
Attackers exploited unpatched vulnerabilities in thousands of end-of-life ASUS routers to gain an initial foothold. Following access, adversaries likely escalated privileges within compromised devices to maintain persistence and broaden their control. Using compromised routers, attackers laterally moved across local and adjacent networks, incorporating new devices into their botnet infrastructure. The routers established outbound command and control communications to attacker infrastructure, enabling remote management and further malware distribution. Some compromised devices facilitated outbound data transfer or relayed malicious traffic, contributing to broader exfiltration or proxying. Ultimately, the campaign disrupted network integrity at scale, creating a resilient botnet for further malicious activities such as DDoS or further infrastructure hijacking.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited multiple unpatched vulnerabilities in outdated ASUS WRT routers exposed to the internet to gain unauthorized access.
Related CVEs
CVE-2023-41345
CVSS 8.8An OS command injection vulnerability in ASUS WRT routers allows remote attackers to execute arbitrary commands.
Affected Products:
ASUS WRT Routers – Various end-of-life models
Exploit Status:
exploited in the wildCVE-2023-41346
CVSS 8.8An OS command injection vulnerability in ASUS WRT routers allows remote attackers to execute arbitrary commands.
Affected Products:
ASUS WRT Routers – Various end-of-life models
Exploit Status:
exploited in the wildCVE-2023-41347
CVSS 8.8An OS command injection vulnerability in ASUS WRT routers allows remote attackers to execute arbitrary commands.
Affected Products:
ASUS WRT Routers – Various end-of-life models
Exploit Status:
exploited in the wildCVE-2023-41348
CVSS 8.8An OS command injection vulnerability in ASUS WRT routers allows remote attackers to execute arbitrary commands.
Affected Products:
ASUS WRT Routers – Various end-of-life models
Exploit Status:
exploited in the wildCVE-2023-39780
CVSS 8.8A command injection vulnerability in ASUS routers allows remote attackers to execute arbitrary commands.
Affected Products:
ASUS Routers – Various models
Exploit Status:
exploited in the wildCVE-2024-12912
CVSS 7.2An arbitrary command execution vulnerability in ASUS routers allows remote attackers to execute arbitrary commands.
Affected Products:
ASUS Routers – Various models
Exploit Status:
exploited in the wildCVE-2025-2492
CVSS 9.2An improper authentication control vulnerability in ASUS routers with AiCloud enabled allows remote attackers to bypass authentication.
Affected Products:
ASUS Routers with AiCloud – Various models
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Network Share Discovery
Account Manipulation
Remote Services: Remote Desktop Protocol
Valid Accounts
Develop Capabilities: Malware
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8
CISA ZTMM 2.0 – Asset Inventory and Management
Control ID: Asset Management: 1.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to router botnet hijacking compromises network infrastructure, requiring enhanced egress security, encrypted traffic monitoring, and zero trust segmentation implementations.
Financial Services
End-of-life router vulnerabilities threaten transaction security and compliance frameworks, necessitating immediate threat detection systems and secure hybrid connectivity solutions.
Health Care / Life Sciences
HIPAA-regulated networks face data exfiltration risks from compromised routers, demanding east-west traffic security and anomaly detection for patient data protection.
Government Administration
Public sector infrastructure vulnerable to botnet infiltration requires multicloud visibility controls and intrusion prevention systems to prevent lateral movement attacks.
Sources
- New WrtHug campaign hijacks thousands of end-of-life ASUS routershttps://www.bleepingcomputer.com/news/security/new-wrthug-campaign-hijacks-thousands-of-end-of-life-asus-routers/Verified
- Operation WrtHug Targets Over 50,000 ASUS Routers to Build a Global Botnet - Thailand Computer Emergency Response Team (ThaiCERT)https://www.thaicert.or.th/en/2025/11/21/operation-wrthug-targets-over-50000-asus-routers-to-build-a-global-botnet/Verified
- ASUS Official Statement on Recent Reports Regarding Router Security | News|ASUS USAhttps://www.asus.com/us/news/wbhfio4vqjodds5p/Verified
- Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignhttps://www.itpro.com/security/cyber-attacks/thousands-of-asus-routers-are-being-hijacked-in-a-state-sponsored-cyber-espionage-campaignVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust network segmentation, east-west traffic controls, advanced threat detection, and strong egress enforcement offered by CNSF and Zero Trust capabilities could have detected, contained, or prevented multiple phases of the router hijacking campaign, limiting adversary lateral movement and external communications.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline inspection would block known exploit signatures at the perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Realtime anomaly detection would alert and limit unauthorized privilege escalation.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation would prevent unrestricted lateral movement between network segments.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to malicious domains or IPs would be detected and blocked.
Control: Encrypted Traffic (HPE) & Egress Security
Mitigation: Data exfiltration attempts would be detected and blocked at network boundaries.
Attack-related activity would be rapidly identified across hybrid environments.
Impact at a Glance
Affected Business Functions
- Network Infrastructure
- Remote Access Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive data due to unauthorized access to network traffic and connected devices.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to rigorously isolate network zones and prevent lateral movement from compromised devices.
- • Enforce robust outbound egress policies combined with DNS/FQDN filtering to disrupt command and control and data exfiltration paths.
- • Continuously monitor and baseline device and network behavior to rapidly detect anomalies and privilege escalation attempts.
- • Deploy real-time, inline threat detection with signature and behavioral analysis for cloud and edge workloads to block exploitation at initial ingress.
- • Maintain full visibility and centralized policy control across multicloud and hybrid environments to accelerate detection and response to widespread infrastructure attacks.
