- GreyNoise finds new hacking campaign targeting Asus hardware
- The threat actors are exploiting poorly secured routers to gain initial access
- They abuse known flaws to establish persistent access and create a botnet
Thousands of ASUS routers were compromised and turned into a malicious botnet after hackers uncovered a troubling security vulnerability, experts have warned.
“This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet,” noted cybersecurity researchers GreyNoise, who first spotted the attacks in mid-March 2025.
Using Sift (GreyNoise’s network payload analysis tool) and a fully emulated ASUS router profile running in the GreyNoise Global Observation Grid, the researchers determined that the threat actors were first breaching routers with brute force and authentication bypassing.
Advanced operations
These poorly configured routers were easy pickings for the attackers, who then proceeded to exploit a command injection flaw to run system commands.
This flaw is tracked as CVE-2023-39780 and carries a severity score of 8.8/10 (high).
The vulnerability was first published in the National Vulnerability Database (NVD) on September 11, 2023, and since then ASUS released firmware updates to address it.
“The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks,” GreyNoise further explains.
“While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”
The attackers use the ability to run system commands, to install a backdoor that’s stored in non-volatile memory (NVRAM).
This means the access they establish survives both reboots and firmware updates. The attackers can maintain long-term access without dropping stage-two malware, or leaving other obvious traces.
We don’t know exactly how many devices are compromised, other than that there are “thousands”, with the number “steadily increasing”.
