NextFin news, On November 19, 2025, cybersecurity researchers from SecurityScorecard's STRIKE team revealed a sophisticated cyber espionage operation targeting ASUS WRT routers worldwide. The campaign, named Operation WrtHug, is attributed with low-to-moderate confidence to Chinese state-affiliated threat actors leveraging multiple known vulnerabilities, some dating back to 2023, to infiltrate and hijack approximately 50,000 end-of-life SOHO (Small Office/Home Office) routers.
The affected devices are globally distributed with notable concentrations in Taiwan (up to 50% of infections), the United States, Russia, and parts of Southeast Asia and Europe. The attackers exploit six key vulnerabilities (CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492) associated with the ASUS AiCloud proprietary service and operating system command injection flaws, including CVE-2023-39780, enabling unauthorized command execution and persistent backdoor installation via SSH. Notably, the campaign's victims share a unique, self-signed TLS certificate with an extraordinary 100-year validity, a hallmark of this coordinated espionage effort.
The attackers' methodology includes chaining command injections and leveraging authentication bypasses to deploy stealthy, persistent access mechanisms that survive device reboots and firmware updates. The operation exhibits similarities with a prior China-linked intrusion, "AyySSHush," suggesting either a unified evolving campaign or coordinated efforts between interconnected threat groups. Security researchers emphasize the strategic use of outdated consumer hardware as operational relay boxes (ORBs) to obfuscate malicious traffic and stage global espionage activities, rendering detection and mitigation difficult.
Given the heavy targeting of Taiwan-based devices and congruent tactics, techniques, and procedures (TTPs) observed in other Chinese advanced persistent threat (APT) campaigns, intelligence and cybersecurity experts consider this campaign part of Beijing's expanding cyber espionage arsenal. These findings come amid increasing geopolitical tensions and highlight the instrumental role of consumer infrastructure, like SOHO routers, as an emerging battlefield in state-sponsored cyber operations.
This campaign raises critical security concerns, especially about the security posture of end-of-life hardware that continues operational use without manufacturer support or patching. Despite official firmware patches for the exploited vulnerabilities, outdated ASUS WRT routers remain susceptible due to user neglect or device obsolescence. The FBI has previously warned SOHO network device owners to upgrade or disable remote management features to mitigate these risks.
The scale and sophistication of Operation WrtHug underscore the evolution of cyber warfare tactics, moving beyond brute force attacks to multi-stage infections that exploit legacy vulnerabilities and embed persistent, stealthy footholds in consumer networks globally. This operation's global reach suggests an intent to establish a resilient espionage infrastructure capable of supporting extensive intelligence collection and covert communications.
Strategically, the campaign exemplifies how nation-states like China leverage a blend of cyber capabilities and consumer technology to advance intelligence objectives that transcend national borders. The use of self-signed certificates with extended expirations, targeted exploitation patterns, and existing ORB infrastructures reflect a mature, well-resourced threat actor adapting to contemporary cybersecurity defenses.
From a broader cyber defense perspective, this incident stresses the imperative for continuous vulnerability management, patch deployment, and proactive monitoring across all networked devices, especially in the growing IoT and SOHO device segments. It also signals a need for heightened international cooperation and policy frameworks to address the challenges posed by state-sponsored cyber operations that exploit critical consumer infrastructure.
Looking ahead, the persistence of such espionage campaigns suggests ongoing risks of large-scale covert networks embedded within global internet infrastructure. Organizations and individuals must adopt zero-trust security models, robust endpoint detection and response (EDR), and threat intelligence sharing to anticipate and mitigate evolving threats. Meanwhile, tech providers and governments should prioritize lifecycle management and secure firmware updates for all connected devices to minimize exploitable attack surfaces.
In conclusion, Operation WrtHug spotlights a strategic shift in cyber espionage toward embedding covert capabilities within ubiquitous consumer technologies, complicating attribution and defense. This evolving threat will likely prompt intensified cybersecurity investment, revised regulations for device manufacturers, and dynamic counterintelligence efforts under the current US administration led by President Donald Trump as global geopolitical cyber tensions remain a critical front.
According to SecurityScorecard's STRIKE team and corroborated by multiple cybersecurity news sources including IT Pro and Infosecurity Magazine, this campaign illustrates advanced persistent threat actors' growing expertise in exploiting consumer-grade network infrastructure to facilitate stealthy, global espionage. The operational data and indicators of compromise shared by researchers provide a foundation for ongoing detection and incident response efforts worldwide.
Explore more exclusive insights at nextfin.ai.
