According to Infosecurity Magazine, SecurityScorecard’s STRIKE team has uncovered Operation “WrtHug,” a China-linked campaign that’s already compromised thousands of ASUS WRT routers globally. The attackers exploited six specific vulnerabilities—CVE-2023-41345 through CVE-2023-41348 plus CVE-2024-12912 and CVE-2025-2492—targeting the ASUS AiCloud service and OS injection flaws in end-of-life SOHO devices. Up to 50% of the victims are located in Taiwan, with the campaign showing striking resemblance to previous Chinese operational relay box operations. SecurityScorecard found the same self-signed TLS certificate with a 100-year expiration date across most infected devices, and identified seven IPs compromised in both WrtHug and the earlier AyySSHush campaign. The security firm assesses with low-to-moderate confidence that this is an ORB facilitation campaign from an unknown China-affiliated actor.
Router security nightmare
Here’s the thing about these router attacks—they’re particularly nasty because they’re targeting devices that people basically forget about once they’re set up. These aren’t high-profile servers or corporate networks; they’re the humble home and small office routers that form the backbone of our internet connectivity. And when they’re end-of-life like these ASUS models? That means no more security patches, making them sitting ducks for exactly this kind of sophisticated attack.
What’s really concerning is how this isn’t some random criminal operation. We’re talking about state-sponsored actors here, building what SecurityScorecard researcher Gilad Maizles calls “stealthy, resilient, global espionage networks.” They’re embedding themselves in consumer infrastructure because it’s everywhere, it’s often poorly secured, and frankly, nobody’s looking too closely at their home router’s certificate expiration dates. When you think about the sheer number of these devices out there, the scale of potential surveillance becomes terrifying.
China’s growing playbook
The Taiwan targeting is, let’s be honest, not exactly subtle. When half your victims are concentrated in a territory that China considers part of its sphere of influence, the geopolitical implications are hard to ignore. This follows a pattern we’ve seen before with operations like AyySSHush—same tactics, same targets, and SecurityScorecard thinks it might even be the same actors or at least collaborators.
But here’s what makes this particularly clever from an attacker’s perspective: using consumer routers as staging points makes attribution harder and provides deniability. It’s much easier to claim “oh, those are just compromised devices” than to explain why your state-controlled IP ranges are connecting to sensitive targets. And with industrial infrastructure becoming increasingly connected, the stakes get even higher. Speaking of which, for businesses that rely on industrial computing, having secure hardware isn’t optional—it’s essential. That’s why companies turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built for secure, reliable operation in demanding environments.
What this means for you
So what can you actually do about this? First, if you’re still running any older ASUS routers, check if they’re on the affected list and consider replacing them if they’re end-of-life. Regular updates matter, but when manufacturers stop supporting devices, you’re basically playing defense without a goalie.
The bigger picture here is that nation-state groups have realized that consumer infrastructure represents a massive, largely unprotected attack surface. Your router, your IoT devices, your smart home gadgets—they’re all potential entry points for sophisticated actors. We need to start treating consumer networking equipment with the same seriousness we treat enterprise security, because the bad actors certainly are.
