Completed
UPDATED Selective GLOBAL

Operation WrtHug Hits Over 50000 Asus Routers Worldwide

Luca Fischer
Edited by
Updated Reading Time: 3 min
6 views 0 Comments

Thousands of Asus Routers Hacked

A large number of Asus routers are under attack from suspected Chinese hackers. These routers are old models no longer supported, leaving them vulnerable. Researchers are trying to determine the full extent of the hacking operation.

  • Thousands of Asus routers hacked
  • Attackers targeting seven outdated models
  • Operation named WrtHug
  • Compromised routers likely used for espionage
  • Most hacked routers found in Taiwan
  • Previous similar attacks by China noted

Security researchers have identified an extensive covert campaign known as Operation WrtHug, which has compromised over 50000 Asus routers worldwide. Operation WrtHug targeting outdated Asus routers has been carried out by state-affiliated China-based threat actors. The campaign is targeting outdated Asus devices to establish a stealthy espionage network using compromised routers worldwide.[1][2][3]

This campaign represents a sharp escalation in router-targeted cyberattacks, leveraging sophisticated multi-vulnerability exploits while maintaining operational stealth.

Specific Asus Router Models Targeted and Geographic Concentration

The routers affected by Operation WrtHug hits all belong to a set of end-of-life (EoL) Asus models, which no longer receive firmware updates from the manufacturer, making them highly vulnerable:

  • Asus Wireless Router RT-AC1300GPLUS
  • Asus Wireless Router RT-AC1300UHP
  • Asus Wireless Router GT-AX11000
  • Asus Wireless Router RT-AC1200HP
  • Asus Wireless Router GT-AC5300
  • Asus Wireless Router DSL-AC68U
  • Asus Wireless Router 4G-AC55U
  • Asus Wireless Router 4G-AC860U

Geographically, the majority of infections are detected in Taiwan and Southeast Asia with smaller clusters in the United States, Russia, Central Europe, South Korea, Japan, and Hong Kong.[4][5]

How Attackers Exploit Vulnerabilities to Compromise Routers

Attackers exploit six publicly disclosed vulnerabilities, primarily related to command injection and authentication bypass flaws affecting the Asus AiCloud service, which is designed to provide remote file access. The exploited vulnerabilities include:

  • CVE-2023-41345
  • CVE-2023-41346
  • CVE-2023-41347
  • CVE-2023-41348
  • CVE-2024-12912
  • CVE-2025-2492

By chaining these vulnerabilities, attackers achieve persistent administrator-level access on routers, often surviving reboots and circumventing firmware updates.[7][6]

Distinctive Indicator of Compromise

One hallmark of these compromised routers is the installation of a self-signed Transport Layer Security (TLS) certificate with suspicious attributes:

  • Certificate expiration set roughly 100 years after April 2022 (around year 2122).
  • Issuer and subject attributes set generically to “CN=a,OU=a,O=a,L=a,ST=a,C=aa”.

This certificate enables attackers to intercept and manipulate encrypted router management communications stealthily, bypassing typical security warnings.[8][9]

Espionage-Focused Stealth Operation

Unlike more visible attacks like DDoS, Operation WrtHug is believed to support spy network infrastructure operations consistent with operational relay box (ORB) tactics. Compromised routers act as proxies to mask attacker origins and conduct covert reconnaissance globally. This aligns closely with known campaigns by Chinese advanced persistent threat (APT) groups such as APT31.[10]

How to Verify If Your Router Is Compromised

To check if your Asus router is affected, follow these steps:

  1. Log into your router’s administrative web interface (commonly at 192.168.1.1).
  2. Locate the security or certificate management settings section.
  3. Inspect installed TLS certificates for expiration dates set in the year 2122 and issuer/subject fields marked as CN=a,OU=a,O=a,L=a,ST=a,C=aa.
  4. Follow Asus’s official instructions to export or view the TLS certificate details for confirmation.[11][3]

If you own a vulnerable Asus router or suspect compromise, security experts advise:

  • Immediately replace affected end-of-life devices with current models receiving firmware patches.
  • Disable unnecessary remote access features such as AiCloud, SSH, UPnP, and port forwarding.
  • Change default and weak passwords to strong, unique credentials.
  • Regularly check for and install Asus official firmware updates.
  • Monitor your network for unusual traffic or unknown device connections.

Operation WrtHug serves as a critical reminder that obsolete network hardware poses serious security risks. Maintaining up-to-date hardware, following best security practices, and monitoring device integrity is essential to guard personal and organizational networks.

Luca Fischer

Luca Fischer

Senior Technology Journalist

United States – New York Tech

Luca Fischer is a senior technology journalist with more than twelve years of professional experience specializing in artificial intelligence, cybersecurity, and consumer electronics. L. Fischer earned his M.S. in Computer Science from Columbia University in 2011, where he developed a strong foundation in data science and network security before transitioning into tech media. Throughout his career, Luca has been recognized for his clear, analytical approach to explaining complex technologies. His in-depth articles explore how AI innovations, privacy frameworks, and next-generation devices impact both industry and society. Luca’s work has appeared across leading digital publications, where he delivers detailed reviews, investigative reports, and feature analyses on major players such as Google, Microsoft, Nvidia, AMD, Intel, OpenAI, Anthropic, and Perplexity AI. Beyond writing, he mentors young journalists entering the AI-tech field and advocates for transparent, ethical technology communication. His goal is to make the future of technology understandable and responsible for everyone.

265
Articles
3.4K
Views
26
Shares
Arstechnica

Arstechnica

Primary Source

No coverage areas yet

Ars Technica was launched in 1998 by Ken Fisher and Jon Stokes as a space where engineers, coders, and hard-core enthusiasts could find news that respected their intelligence. From the start it rejected shallow churn, instead publishing 5 000-word CPU micro-architecture briefs, line-by-line Linux kernel diffs, and forensic GPU teardowns that treat readers like fellow engineers rather than casual shoppers. Condé Nast acquired the site in 2008, yet the newsroom retained its autonomy, keeping the beige-and-black design ethos and the Latin tagline “Art of Technology.” Today its staff physicists, former network architects, and defunct-astronaut hopefuls explain quantum supremacy papers, dissect U.S. spectrum auctions, benchmark every new console, and still find time to live-blog Supreme Court tech policy arguments. The result is a community whose comment threads read like peer-review sessions: voltage curves are debated, errata are crowdsourced overnight, and authors routinely append “Update” paragraphs that credit readers for spotting a mis-stated opcode.

16
Articles
161
Views
0
Shares
Read on Arstechnica
Elena Voren

Elena Voren

Senior Editor

Blog Business Entertainment Sports News

Elena Voren is a senior journalist and Tech Section Editor with 8 years of experience focusing on AI ethics, social media impact, and consumer software. She is recognized for interviewing industry leaders and academic experts while clearly distinguishing opinion from evidence-based reporting. She earned her B.A. in Cognitive Science from the University of California, Berkeley (2016), where she studied human-computer interaction, AI, and digital behavior. Elena’s work emphasizes the societal implications of technology, ensuring readers understand both the practical and ethical dimensions of emerging tools. She leads the Tech Section at Faharas NET, supervising coverage on AI, consumer software, digital society, and privacy technologies, while maintaining rigorous editorial standards. Based in Berlin, Germany, Elena provides insightful analyses on technology trends, ethical AI deployment, and the influence of social platforms on modern life.

0
Articles
0
Views
0
Shares
488
Updates

Editorial Timeline

Revisions
— by Elena Voren
Initial publication.

Correction Record

Accountability
— by Elena Voren
  1. Clarified scope and scale of compromised Asus routers.
  2. Specified exact vulnerable router models at risk.
  3. Detailed specific exploited vulnerabilities by CVE identifiers.
  4. Explained attack method via Asus AiCloud and TLS certificates.
  5. Highlighted geographical concentration of infections globally.
  6. Described espionage-focused operational relay box tactics.
  7. Added step-by-step user guide for compromise detection.
  8. Recommended practical security actions for users and admins.
  9. Included transparency about unknowns and ongoing investigations.
  10. Organized article with clear, descriptive headings and lists.

FAQ

What models are affected by this hack?

Seven outdated Asus router models are targeted.

What is WrtHug?

WrtHug is the name given to the hacking operation.

Where are most of the hacked routers located?

Most compromised routers are in Taiwan.

Related Posts

Table of Contents

Specific Asus Router Models Targeted and Geographic ConcentrationHow Attackers Exploit Vulnerabilities to Compromise RoutersDistinctive Indicator of CompromiseEspionage-Focused Stealth OperationHow to Verify If Your Router Is CompromisedRecommended Actions to Protect Your Network