A sophisticated cyberattack campaign, dubbed AyySSHush, has successfully compromised over 9,000 ASUS routers worldwide, establishing persistent backdoor access that withstands firmware updates and device reboots. This operation, first detected in March 2025, showcases advanced techniques typically associated with nation-state actors, exploiting authentication vulnerabilities and leveraging legitimate router features to maintain long-term control without deploying traditional malware.
Attack Methodology Targeting ASUS Routers
The attackers employ a multi-stage exploitation technique that begins with brute-force login attempts against ASUS router interfaces. Once access is gained, they exploit two previously undisclosed authentication bypass vulnerabilities to escalate privileges. Subsequently, the threat actors exploit CVE-2023-39780, an authenticated command injection flaw in ASUS router firmware, to execute arbitrary system commands.
The critical payload exploits the `oauth_google_refresh_token` parameter through a POST request to `/start_apply.htm`, injecting the command `touch /tmp/BWSQL_LOG` to enable Bandwidth SQL logging features. This manipulation creates an attack vector through vulnerable functions in the router’s `bwsdpi_sqlite` binary that pass user-controlled data directly to system() calls.
The attackers then enable SSH access on the non-standard TCP port 53282 and inject their public SSH key. This configuration change persists across firmware upgrades because it utilizes official ASUS settings stored in non-volatile memory (NVRAM).
Detection and Analysis
GreyNoise’s discovery was made possible through their AI-powered threat hunting tool called “Sift,” which flagged just three anomalous HTTP POST requests among millions of daily internet traffic patterns. The campaign’s stealth is remarkable – only 30 malicious requests were detected across three months despite compromising thousands of devices.
Sift identified the suspicious activity using advanced machine learning techniques, including custom-built Large Language Models (LLMs), nearest neighbor search, and unsupervised clustering to detect payloads targeting ASUS RT-AC3100 and RT-AC3200 routers with factory configurations.
Four IP addresses have been identified as indicators of compromise:
– 101.99.91.151
– 101.99.94.173
– 79.141.163.179
– 111.90.146.237
Immediate Action Required
The campaign represents a significant security threat as the backdoor access cannot be removed through standard firmware updates. ASUS has released patches addressing CVE-2023-39780, but devices compromised prior to patching retain the malicious SSH configuration. The attackers deliberately disable logging and TrendMicro AiProtection features to avoid detection.
Security experts recommend immediately checking ASUS routers for unauthorized SSH services on TCP port 53282 and reviewing authorized_keys files for the attacker’s public key. Organizations should block the identified malicious IP addresses and perform factory resets on suspected compromised devices, followed by complete reconfiguration with strong authentication credentials.
The sophistication and persistence of this campaign suggest potential links to advanced persistent threat (APT) groups utilizing operational relay box (ORB) networks for long-term strategic objectives.
