Executive Summary:

• A new, stealthy ASUS router botnet, dubbed AyySSHush, abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates, evading traditional detection methods.
• GreyNoise observed the campaign in March 2025; Censys scan data reveals its global footprint and how it's evolved over the past five months
  4,504 ASUS devices show indicators of compromise as of May 28, 2025, identified by having SSH running on port TCP/53282 — a relatively strong indicator of AyySSHush compromise since this high, nonstandard port is specifically used by the botnet
• The compromises are globally spread with an APAC concentration: the top affected countries include the U.S., Sweden, Taiwan, Singapore, and Hong Kong.
• Residential ISPs across Asia, Europe, and the U.S. appear to be the main targeted networks, aligning with the typically observed residential proxy botnet strategy that mimics legitimate users to evade detection.
  Historical trends in compromises observed online reveal a highly dynamic scale of botnet operations that rapidly scaled up and down by 50% in a matter of weeks
• Attackers leverage ASUS's own built-in configuration tools to inject SSH keys that survive firmware resets -- patching alone isn't enough.
• Check out our live dashboard tracking exposed ASUS devices with indicators of compromise
  Introduction
  On March 18 2025, researchers at GreyNoise uncovered a sophisticated botnet campaign targeting ASUS routers. Dubbed AyySSHush, the operation exploits legitimate features of ASUS’s AiProtection system to implant persistent SSH backdoors that survive firmware resets. This is an alarming example of threat actors exploiting vendor-sanctioned capabilities to establish a persistent, hard-to-detect presence in consumer-grade hardware.

Censys has been tracking this botnet’s global footprint in partnership with findings from both GreyNoise and Sekoia researchers.

To aid in ongoing tracking and research, we’ve launched a live dashboard that tracks exposed ASUS routers showing indicators of AyySSHush compromise. The data updates daily and provides real-time insight into global trends.

The Taiwanese hardware maker says it has no plans patch the flaws impacting legacy router models

n Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database.

An advisory by CISA and multiple international cybersecurity agencies highlights the tactics, techniques, and procedures (TTPs) of APT40 (aka

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available…

The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port.

Russian APT28 military hackers are using compromised Ubiquiti EdgeRouters to evade detection, the FBI says in a joint advisory issued with the NSA, the U.S. Cyber Command, and international partners.
#APT28 #Computer #FBI #InfoSec #Router #Russia #Security #Ubiquiti

A Mirai-based botnet named 'InfectedSlurs' is exploiting a remote code execution (RCE) vulnerability in QNAP VioStor NVR (Network Video Recorder) devices to hijack and make them part of its DDoS (distributed denial of service) swarm.
#Actively #Botnet #Computer #Exploited #FXC #InfectedSlurs #InfoSec #Malware #QNAP #Router #Security #Vulnerability

Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service.

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.