Thousands of home and small office routers turned into covert espionage relay nodes across Asia, the US, and Europe
SecurityScorecard’s STRIKE threat intelligence team, in collaboration with ASUS, has uncovered a sophisticated global espionage campaign – dubbed Operation WrtHug – hijacking thousands of ASUS home and SOHO routers worldwide to build stealthy digital infrastructure, allegedly linked to China-based threat actors. Researchers warn that this emerging attack model transforms consumer routers into long-term espionage staging points, blurring the lines between national security threats and consumer-level vulnerabilities.
Nearly 50% of the compromised devices are in Taiwan, with major infection clusters in Southeast Asia, Russia, the United States, and Europe, but notably none in mainland China. Targeted devices include specific ASUS models such as RT-AC1300UHP, GT-AX11000, and DSL-AC68U, many of which are end-of-life (EoL) models lacking vendor support — making them prime targets for long-term exploitation.
A forensic signature of this campaign is a unique self-signed TLS certificate with a 100-year expiration period, discovered across all compromised routers, indicating a high degree of coordination rarely seen at this scale.
“Operation WrtHug is a case study in how nation-state actors are embedding themselves in consumer infrastructure to build stealthy, resilient, global espionage networks,” said Gilad F. Maizles, Security Researcher at SecurityScorecard. “The deliberate targeting of EoL ASUS devices and proprietary services like AiCloud shows the growing strategic importance of SOHO routers as reliable staging points.”
What CISOs Must Know:
- Consumer/SOHO Routers Are Now Strategic Targets: Attackers are moving beyond enterprise perimeter defenses, using households and small offices as covert relay hubs.
- Legacy Infrastructure Is the Weakest Link: WrtHug exploits vulnerabilities associated with CVE-2023-39780, affecting discontinued or unpatched router models.
- Threat Actor Tradecraft Is Evolving: Use of Nth-day vulnerabilities, not zero-days, signals a calculated strategy leveraging known but neglected flaws.
- Certificates Can Be Clues: Extremely long-lived, self-signed TLS certificates could be key identifiers of compromised infrastructure.
The campaign shares seven IP overlaps with a separate operation known as “AyySSHush”, suggesting either actor cooperation or a merged threat evolution. Both operations demonstrate how attackers are using aging consumer hardware to bypass traditional enterprise defenses, hide traffic, and create persistent, low-observable proxy networks.
SecurityScorecard analysts warn that global supply chain security strategies are incomplete if they overlook consumer-grade devices.
