Experts Uncover Cyber-Espionage Campaign Exploiting Expired Asus Routers
Most Compromised Routers, Perhaps Not Coincidentally, Are Said to Be in Taiwan and Southeast Asia

It looks like China is creating a massive cyber-espionage operation in a campaign called “Operation WrtHug.” And if reports are true, they might be hijacking expired ASUS routers to create the underlying infrastructure.
According to a report by Tech Radar, security researchers SecurityScorecard and Asus have uncovered a malicious campaign where Chinese state-sponsored threat actors are leveraging vulnerabilities in end-of-life Asus routers to “deploy a unique, self-signed certificate” and assimilate said routers into a botnet for global cyber-espionage.
This campaign shares similarities to other China-linked Operational Relay Box (ORB) campaigns where the infected routers form part of a large operational relay network. In this network, the routers function as nodes where threat actors route their own espionage traffic through innocent people’s routers while hiding their origin. This allows them to build and operate a worldwide infrastructure that they can use to attack high-value geopolitical targets.
What Asus Routers Are Vulnerable and What Vulnerabilities Are Being Attacked?
The Tech Radar report listed the following as the vulnerabilities being abused:
- CVE-2023-41345
- CVE-2023-41346
- CVE-2023-41347
- CVE-2023-41348
- CVE-2024-12912
- CVE-2025-2492
These models, meanwhile, are the ones being assimilated into the botnet:
- 4G-AC55U
- 4G-AC860U
- DSL-AC68U
- GT-AC5300
- GT-AX11000
- RT-AC1200HP
- RT-AC1300GPLUS
- RT-AC1300UHP
Tech Radar notes that the vulnerabilities being exploited are all n-day flaws, which means they have been around for a relatively long period. But because the models being targeted are expired, or have reached their end of life, they are at risk because they either have not received updates to counter said vulnerabilities or were simply not patched by their users.
Campaign Is Careful, Calculated, and Coordinated
As of press time, SecurityScorecard and Asus say the number of hijacked Asus routers is already “in the thousands,” with each one sharing a unique, self-signed TLS certificate with a 100-year expiration date.
“This unusually long-lived certificate is a critical indicator of compromise and points to a level of coordination that reflects careful and calculated espionage,” the SecurityScorecard researchers noted.
So far, most of the compromised routers are said to be in Taiwan and Southeast Asia, two regions where China, incidentally, might have vested interests.
(This is a developing story.)



