Nearly 9,000 ASUS routers got hacked, and here’s the kicker—rebooting won’t fix them. Neither will firmware updates. These routers are basically zombies now, controlled by threat actors who discovered how to create what security experts call “malware-free backdoors.” Yeah, that’s a thing now.
The whole mess started back in March 2025 when GreyNoise’s AI tool picked up something weird. Their Sift system spotted routers doing stuff they shouldn’t, like granting SSH access through TCP port 53282. Not exactly standard router behavior. By May 27, the confirmed count hit nearly 9,000 compromised devices, and researchers coordinated with government officials before going public on May 28.
Here’s where it gets technical, but stay with me. The attackers didn’t use traditional malware. Instead, they exploited legitimate router features and existing vulnerabilities—HTTP response splitting, Samba bugs, open redirect flaws, and token authentication issues. The vulnerability carries an 8.8 severity score, making it a critical threat to network security. ASUS patched these vulnerabilities, sure. But the damage was already done. Once the backdoor’s in, it’s staying put. The attackers store their backdoor configuration in NVRAM, ensuring it survives reboots and updates.
Security firm Sekoia.io named this nightmare “ViciousTrap,” part of a broader campaign that’s also targeting Cisco and other SOHO routers. They’re calling the botnet behind it “AyySSHush,” which honestly sounds like something a teenager would name their gaming clan. But there’s nothing amateur about these attacks. These are sophisticated threat actors building infrastructure for something bigger.
The really unsettling part? Nobody knows what they’re planning. These compromised routers could become weapons for coordinated attacks. DDoS campaigns, data theft, who knows. Sekoia.io confirmed these aren’t honeypots—they’re real devices in real networks, silently waiting for orders.
Traditional fixes won’t cut it. Firmware updates? Useless. Reboots? Pointless. The only solution is a complete factory reset, and even then, you’d better change those default credentials immediately. ASUS released security advisories, but for those 9,000 routers, it’s too late.
Censys keeps mapping affected devices, GreyNoise continues monitoring, and security teams worldwide are scrambling. Meanwhile, these invisible backdoors persist, turning home routers into sleeper agents. The campaign’s still active, still spreading. And somewhere, threat actors are probably laughing at how easy this was.
References
- https://www.ispreview.co.uk/index.php/2025/05/multiple-asus-routers-impacted-by-new-security-vulnerability.html
- https://www.scworld.com/news/asus-router-backdoors-affect-9k-devices-persist-after-firmware-updates
- https://www.asus.com/us/content/asus-product-security-advisory/
- https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
- https://www.bleepingcomputer.com/news/security/botnet-hacks-9-000-plus-asus-routers-to-add-persistent-ssh-backdoor/
