Cybersecurity firm GreyNoise has uncovered a covert hacking campaign that successfully compromised over 9,000 internet-facing ASUS routers. ย
First detected on March 18, 2025, by GreyNoiseโs proprietary AI-powered analysis tool, SIFT, the campaign was publicly disclosed only on Wednesday after the researchers coordinated the findings with government and industry partners.
The attackers used a combination of brute-force login attempts, authentication bypasses, and a known command injection vulnerability (CVE-2023-39780) to quietly install a persistent backdoor via Secure Shell (SSH).
What makes this campaign especially alarming is its stealth and resilience: the unauthorized access survives both reboots and firmware updates, giving them durable control over affected devices.ย
โThe attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features,โ wrote GreyNoise researchers in their blog post on Wednesday.
Using fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid and deep packet inspection, researchers were able to reconstruct the attack chain and identify the backdoor mechanism.
How The Attack Works
Attackers gain initial access through brute-force login attempts and undocumented authentication bypasses, including techniques not assigned CVEs. They then exploit a known vulnerability, CVE-2023-39780, a command injection flaw, to run arbitrary commands on the router.
Using legitimate ASUS features, they enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access. The backdoor is stored in non-volatile memory (NVRAM), allowing it to survive both reboots and firmware updates.
“Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades,” details anotherย related reportย by GreyNoise. “If you’ve been exploited previously, upgrading your firmware willย NOTย remove the SSH backdoor.”
To remain hidden, the attackers disable system logging, avoid using malware, and evade Trend Micro’s AiProtectionโdemonstrating careful planning and deep technical knowledge.
Why It Matters
The attackers are assembling a network of compromised devicesโeffectively a stealth botnetโcapable of being weaponized in future cyber operations. With logging disabled and no malware signatures to detect, traditional security tools are unlikely to catch it.
Over the past three months, GreyNoise sensors saw just 30 related requests associated with this campaign and confirmed that over 9,000 ASUS routers have been compromised. Of these requests, GreyNoiseโs SIFT tool flagged just three suspicious HTTP POST requests to trigger human inspection.
Given the sophistication and stealth of the methods used, GreyNoise suggests the campaign may be the work of a well-resourced and highly skilled threat actor, possibly even nation-state affiliated, though no formal attribution has been made.
By May 27, 2025, Censys, a platform that continuously maps and monitors internet-facing assets across the global internet, confirmed nearly 9,000 ASUS routers had been compromised. The number of affected hosts is growing, and given how quietly the operation has unfolded, the real impact could be even broader.
ASUS has since patched CVE-2023-39780 in a recent firmware update, but users must manually verify and clean up existing backdoors.
Recommendations
To stay protected, users are requested to check ASUS routers for SSH access on TCP/53282, inspect the authorized_keys file for suspicious entries, block the identified malicious IPs (101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237), and if a compromise is suspected, it is recommended to perform a full factory reset and reconfigure the router manually.
