Do Son 
More than 9,000 ASUS routers have reportedly fallen under the control of a newly identified botnet dubbed AyySSHush. According to researchers at GreyNoise, the malicious campaign began in March 2025 and targets not only ASUS devices but also home routers from Cisco, D-Link, and Linksys. The primary models under attack include the RT-AC3100, RT-AC3200, and RT-AX55.
The operation combines brute-force login attempts, authentication bypass techniques, and exploitation of outdated vulnerabilities. Notably, attackers are leveraging CVE-2023-39780, a flaw that enables them to implant their own SSH key into the device’s configuration and activate the SSH daemon on a non-standard TCP port (53282). This configuration persists even after firmware updates or device reboots, as the changes are made using legitimate ASUS system functions.
What sets this campaign apart is the absence of conventional malware. Instead, attackers disable system logging and the AiProtection security suite by Trend Micro, significantly reducing the likelihood of detection. Over the past three months, GreyNoise recorded only 30 suspicious requests associated with this campaign; however, the number of compromised ASUS routers is estimated to exceed 9,000.
Despite the scope of the infection, the attackers’ activities remain covert. There is no evidence suggesting the compromised devices are being used for DDoS attacks or traffic proxying. However, a parallel investigation by Sekoia into a similar campaign, Vicious Trap, revealed that a malicious script was running on compromised routers, redirecting network traffic to the attacker’s infrastructure. In addition to ASUS, Sekoia observed intrusions targeting VPNs, DVRs, and BMC controllers from D-Link, Linksys, QNAP, and Araknis Networks, including exploitation of CVE-2021-32030.
Based on observed behaviors, AyySSHush appears to be laying the groundwork for a distributed network of remotely accessible devices, potentially for future use. For now, the campaign’s true objectives remain elusive.
In the meantime, ASUS has released security patches addressing CVE-2023-39780, although release timelines vary by model. Owners are strongly advised to update their firmware without delay, inspect the authorized_keys file for unauthorized entries, and check for suspicious files.
GreyNoise has also published a list of IP addresses linked to AyySSHush activity and recommends adding them to local blocklists:
- 101.99.91.151;
- 101.99.94.173;
- 79.141.163.179;
- 111.90.146.237.
If infection is suspected, it is advised to perform a full factory reset of the router and reconfigure it from scratch, ensuring the use of a strong and unique password.
Donate