A newly discovered botnet dubbed ‘AyySSHush’ has claimed thousands of Asus routers. Cybersecurity company GreyNoise discovered this stealthy attack in March 2025, which has reported that it exploits authentication vulnerabilities and uses the router’s capabilities to provide long-term access. This backdoor does not depend on any viruses and cannot be removed via firmware upgrades.
The attack starts whenever the threat actors use authentication bypass techniques, some of which are undocumented and do not have CVEs assigned, to perform brute-force login attempts on the routers. Upon entering, the attackers then use the known command injection flaw (CVE-2023-39780), randomly issuing commands at the OS level. Using valid features contained inside the firmware, this technique helps the attackers change the router’s setup.
To create constant access, the attackers make use of official characteristics of Asus routers. Furthermore, they gain remote administrator authority by installing their own public SSH key and by activating SSH on an unusual port (TCP 53282). Because the backdoor is written in the non-volatile memory (NVRAM) of the router, it survives device reboots and firmware upgrades. Moreover, disabling the system logging and the AiProtection security features of the router guarantees that the perpetrators’ actions remain unnoticed.
“The techniques employed by the attackers demonstrated careful planning for persistence with great knowledge of the system design,” GreyNoise explained. According to Censys data, which identifies and cataloged internet-facing infrastructure globally, at least 9,000 Asus routers are currently confirmed as compromised. While GreyNoise makes a distinction between devices exposed to the internet that are being actively targeted or exploited, Censys locates the exposed devices. This provides a more comprehensive understanding of the stealth and size of the ongoing effort.
Extra manual steps should be performed by consumers to ensure that Asus routers are entirely secure. In situations where a device is believed to be hacked, it is best to do a total factory reset and then rebuild the router from the beginning.
