A new botnet campaign dubbed “Operation WrtHug” has emerged, compromising tens of thousands of vulnerable ASUS routers worldwide. This large-scale operation is rapidly absorbing outdated or end-of-life hardware, chiefly impacting users in Taiwan, the United States, and Russia. According to researchers at SecurityScorecard, the attackers behind Operation WrtHug are leveraging known weaknesses in obsolete router models to stealthily conscript them into a growing command-and-control network.
Obsolete Routers at the Heart of the WrtHug Operation
Threat actors exploit unpatched vulnerabilities to seize control of aging ASUS routers.
Recent analysis by security researchers reveals that Operation WrtHug targets ASUS routers running outdated firmware—particularly older models no longer supported with security updates. Leveraging public exploits and default credentials, attackers co-opt these weakly defended devices and enroll them into expansive botnets that can be wielded for malicious purposes ranging from distributed denial-of-service (DDoS) attacks to reconnaissance and data exfiltration.
Thousands of ASUS Devices Affected Globally
Concentrated infections noted in Taiwan, the U.S., and Russia indicate targeted regional impacts.
The infected device telemetry indicates a wide distribution pattern but with notable concentrations:
- Taiwan : Reports indicate the highest concentration of infected routers, likely due to high ASUS market presence.
- United States : A significant footprint in U.S. residential and small office infrastructure.
- Russia : A surprising third-largest cohort, suggesting opportunistic scanning or previous infrastructure compromise.
These numbers highlight the global scale of vulnerability due to unmaintained consumer hardware.
Technical Underpinnings of Operation WrtHug
The campaign uses old firmware vulnerabilities and failsafe credentials to hijack routers en masse.
While specific CVEs used in the campaign have not been disclosed in full detail, researchers have confirmed the attackers exploit known and published vulnerabilities in legacy ASUS routers. The threat actors appear to use automated scanning tools to identify:
- Devices sporting outdated firmware versions
- Routers using factory-default or weak administrative credentials
- Unencrypted or poorly segmented management interfaces exposed to public networks
Once a device is identified and successfully infiltrated, it becomes tethered to a remote command-and-control (C2) architecture capable of issuing arbitrary payloads or redirecting network traffic through the hijacked endpoint.
Estimated Botnet Capabilities
Although specific attack operations have not yet been attributed to this botnet, the sheer number of routers under the attackers’ control presents considerable risk. Potential uses include:
- Traffic Proxying : Using residential routers to anonymize malicious traffic
- DDoS Attacks : Harnessing bandwidth of compromised infrastructure to flood targets
- Credential Harvesting : Probing internal networks passing through infected units
As more router models age out of support cycles, the potential attack surface for such operations continues to grow.
Lack of Patches and Poor Hygiene Enable Large-Scale Exploits
Outdated or abandoned hardware remains a persistent, scalable threat vector.
The vulnerability of these routers ultimately stems from a combination of manufacturer discontinuation of software updates and user neglect in applying patches or upgrading hardware. ASUS, like many vendors, eventually halts support for legacy devices. When this happens:
- Firmware no longer receives security updates
- Default credentials remain unchanged by uninformed users
- Configuration hardening is often neglected on consumer-grade devices
These conditions make aging devices attractive targets for coordinated exploitation campaigns such as Operation WrtHug.
Recommendations for Mitigation and Monitoring
Network defenders urged to audit infrastructure and segment or decommission vulnerable routers.
To reduce the risk posed by compromised routers or similar botnet activity:
- Conduct infrastructure scans to identify unsupported routers
- Replace or upgrade devices no longer vendor-supported
- Change default device credentials immediately after deployment
- Monitor egress traffic for signs of botnet command-and-control activity
- Harden home and small office networks with stronger firewall and segmentation policies
Given the prevalence of ASUS routers in home and small office environments, both enterprise security teams and individual users must prioritize infrastructure hygiene.
Botnets Exploit Gaps in IoT Lifecycle Management
Operation WrtHug is a clear example of attackers capitalizing on security inertia.
Operation WrtHug underscores the persistent danger of unpatched, deprecated hardware in connected environments. As attackers refine techniques for identifying and enrolling vulnerable devices into botnets, this campaign serves as a stark reminder of the broader risks associated with unmanaged firmware and lax credential practices. For defenders, mitigating these threats requires diligent asset inventory management, retirement of unsupported hardware, and continuous network monitoring for suspicious behavior.
