Executive Summary:

• A new, stealthy ASUS router botnet, dubbed AyySSHush, abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates, evading traditional detection methods.
• GreyNoise observed the campaign in March 2025; Censys scan data reveals its global footprint and how it's evolved over the past five months
  4,504 ASUS devices show indicators of compromise as of May 28, 2025, identified by having SSH running on port TCP/53282 — a relatively strong indicator of AyySSHush compromise since this high, nonstandard port is specifically used by the botnet
• The compromises are globally spread with an APAC concentration: the top affected countries include the U.S., Sweden, Taiwan, Singapore, and Hong Kong.
• Residential ISPs across Asia, Europe, and the U.S. appear to be the main targeted networks, aligning with the typically observed residential proxy botnet strategy that mimics legitimate users to evade detection.
  Historical trends in compromises observed online reveal a highly dynamic scale of botnet operations that rapidly scaled up and down by 50% in a matter of weeks
• Attackers leverage ASUS's own built-in configuration tools to inject SSH keys that survive firmware resets -- patching alone isn't enough.
• Check out our live dashboard tracking exposed ASUS devices with indicators of compromise
  Introduction
  On March 18 2025, researchers at GreyNoise uncovered a sophisticated botnet campaign targeting ASUS routers. Dubbed AyySSHush, the operation exploits legitimate features of ASUS’s AiProtection system to implant persistent SSH backdoors that survive firmware resets. This is an alarming example of threat actors exploiting vendor-sanctioned capabilities to establish a persistent, hard-to-detect presence in consumer-grade hardware.

Censys has been tracking this botnet’s global footprint in partnership with findings from both GreyNoise and Sekoia researchers.

To aid in ongoing tracking and research, we’ve launched a live dashboard that tracks exposed ASUS routers showing indicators of AyySSHush compromise. The data updates daily and provides real-time insight into global trends.

Discover BADBOX, a new botnet pre-infecting Android devices—including TVs—via factory malware. Explore supply chain threats from one SSL certificate.

Despite both technical exposure by researchers and law enforcement disruption, this infrastructure has remained uncharacteristically consistent, only changing hosting providers. Given the contrasting high level of sophistication between Volt Typhoon’s activity within target organizations and their proxy network, it is possible the KV Botnet is operated by a party other than Volt Typhoon.

• Juniper Networks recently patched a critical pre-authentication Remote Code Execution (RCE) vulnerability in the J-Web configuration interface across all versions of Junos OS on SRX firewalls and EX switches.
• Unauthenticated actors could exploit this vulnerability to gain root access or initiate Denial of Service (DoS) attacks on devices that have not been patched. Ensure your systems are updated promptly to mitigate this risk.
• Check for exposed J-Web configuration interfaces using this Censys Search query: services.software.uniform_resource_identifier: cpe:2.3:a:juniper:jweb:*:*:*:*:*:*:*:*.
• As emphasized last year in CISA’s BOD 23-02 guidance, exposed network management interfaces continue to pose a significant risk. Restrict access to these interfaces from the public internet wherever possible.

On April 12th, 2023, Microsoft released a slew of new patches for its Windows operating system, one of which was to fix CVE-2023-21554, a remotely-exploitable vulnerability in the obscure Windows Message Queuing (MSMQ) service that can lead to remote code execution (RCE).

Pulse Connect Secure is a low-cost and widely-deployed SSL VPN solution for remote and mobile users. Over the years, researchers have found several significant vulnerabilities in the server software, some even resulting in the active exploitation of critical infrastructure by malicious threat actors. In April of 2021, CISA released a report detailing some of these activities, which included exploiting several unknown (at the time) vulnerabilities and resulted in swift action from Ivanti, the Pulse Connect Secure software developer.