- Greynoise finds new hacking -campaign targeted asus -hardware
- The threat actors are utilizing poorly secured routers to gain initial access
- They abuse famous deficiencies to establish sustained access and create a botnet
Thousands of ASUS routers were compromised and transformed into a malicious botnet, after hackers revealed a troubled safety vulnerability, experts have warned.
“This seems to be part of a stealth operation to bring together a distributed network of back-door units potentially lay the basis for a future botnet,” noted cybersecurity scientists Greynoise, who first discovered the attacks in mid-March 2025.
Using the SIFT (Greynoise’s Network People’s Analysis Tool) and a fully emulated ASUS router profile running in Greynoise Global Observation Grid, the researchers decided that threat actors first broke routers with brute force and approval.
Advanced operations
These poorly configured routers were easy choices for attackers who then continued to exploit a command injection error to run system commands.
This error is traced as CVE-2023-39780 and has a severity of 8.8/10 (high).
The vulnerability was first published in the National Sulnerability Database (NVD) on September 11, 2023, and since then the ASUS released Firmware updates to tackle it.
“The tactics used in this campaign-stealthy initial access, use of built-in system functions for persistence and careful detection of detections in accordance with those seen in advanced, long-term operations, including activity associated with advanced sustained threat (APT) actors and operational baton (ORB) network,” explains Greynoise.
“While Greynoise has not given any attribution, the level of TradeCraft suggests a well -resourceful and very skilled opponent.”
The attackers use the ability to run system commands to install a back door stored in non-volatile memory (NVRAM).
This means that the access they create survives both restarts and firmware updates. The attackers can maintain long-term access without dropping stage to malware or leaving other obvious tracks.
We do not know exactly how many devices are compromised, except that there are “thousands”, with the number “steadily increasing”.
