A new botnet dubbed AyySSHush has infected over 8,000 Asus routers worldwide, targeting devices with default configurations and exploiting vulnerabilities to disable security features before gaining backdoor access. The threat monitoring company GreyNoise discovered the botnet in March and is now revealing details due to its collaboration with governments and industry partners.
The attackers behind AyySSHush are believed to be a well-resourced adversary using advanced tradecraft, although no formal attribution has been made yet. The botnet’s initial attacks involved generic brute-force attempts, but it later shifted to exploiting old authentication bypass bugs to gain access to Asus routers.
Once inside, the attackers used additional techniques and an older vulnerability (CVE-2023-39780) to run arbitrary commands on the router, allowing them to execute SSH commands, disable security features, and add attacker-controlled public keys. These changes persist even after firmware updates or patching, making it difficult for users to remove the backdoor.
GreyNoise has identified several affected Asus models, including the RT-AC3100, RT-AC3200, and RT-AX55. The company is urging users to check for signs of compromise and suggests factory-resetting their devices if they suspect infection.
Asus has not commented on the incident yet. Microsoft’s naming taxonomy assigns Chinese groups a “Typhoon” name, which might be relevant in this case, as the attackers are believed to be from China or have connections to Chinese-speaking groups.
Source: https://www.theregister.com/2025/05/29/8000_asus_routers_popped_in