A recent cybersecurity report reveals that over 9,000 ASUS routers have fallen victim to a sophisticated botnet known as AyySSHush. This alarming campaign, discovered by GreyNoise security researchers in mid-March 2025, also targets SOHO routers from major brands such as Cisco, D-Link, and Linksys. The investigation into this threat indicates that it exhibits characteristics typically associated with nation-state threat actors, although no specific attributions have been confirmed.
GreyNoise reveals that the AyySSHush attacks employ a combination of tactics including brute-forcing login credentials, bypassing authentication mechanisms, and exploiting known vulnerabilities to gain unauthorized access to various models of ASUS routers. Specifically, the models affected include the RT-AC3100, RT-AC3200, and RT-AX55.
The attackers primarily exploit a command injection vulnerability identified as CVE-2023-39780. This vulnerability allows them to insert their own SSH public key and configure the SSH daemon to listen on a non-standard TCP port, specifically 53282. This malicious alteration provides the threat actors with persistent backdoor access to the compromised devices, even after reboots and firmware updates. Notably, since the SSH key is added using legitimate ASUS features, these changes survive firmware upgrades, as highlighted in another report from GreyNoise.
For users who have already been compromised, upgrading firmware will not eliminate the SSH backdoor. The attack is particularly stealthy and does not involve traditional malware; instead, the attackers disable logging and turn off Trend Micro's AiProtection to avoid detection, making their activities even harder to track.
GreyNoise's findings indicate that only 30 malicious requests have been logged over the past three months, despite the significant number of affected routers. This scarcity of visible activity demonstrates the stealthy nature of the AyySSHush campaign. Remarkably, three of these requests were sufficient to trigger GreyNoise's AI-powered analysis tool, which flagged them for further human inspection.
Interestingly, this campaign seems to overlap with another threat observed by Sekoia, known as Vicious Trap, where attackers also targeted ASUS routers. However, Sekoia reported the exploitation of a different vulnerability, CVE-2021-32030, during their observations. In their analysis, the threat actors targeted a variety of devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from brands such as D-Link, Linksys, QNAP, and Araknis Networks.
The exact objectives behind the AyySSHush campaign remain unclear, as there are currently no indications of distributed denial of service (DDoS) attacks or attempts to use compromised routers for proxying malicious traffic. However, in the incidents tracked by Sekoia, malicious scripts were downloaded to redirect network traffic from compromised systems to third-party devices controlled by the attackers. It appears that AyySSHush aims to quietly establish a network of backdoored routers, potentially laying the groundwork for a future botnet.
In response to this threat, ASUS has issued security updates addressing the CVE-2023-39780 vulnerability for the affected router models. However, the availability of these updates may vary depending on the specific model. Users are strongly advised to upgrade their firmware as soon as possible and to check for any suspicious files or unauthorized SSH keys in the 'authorized_keys' file. GreyNoise has identified four IP addresses associated with this malicious activity that should be added to a block list:
101.99.91.151101.99.94.17379.141.163.179111.90.146.237If you suspect that your router may have been compromised, performing a factory reset is highly recommended to ensure complete eradication of any threats. After the reset, reconfigure your router from scratch using a strong and unique password to bolster your security.
