- Graynoise finds a new hacking campaign targeting Asus equipment
- Threat actors use poorly guaranteed routers to obtain initial access
- They abuse known defects to establish persistent access and create a botnet
Thousands of ASUS routers have been compromised and transformed into a malicious Botnet after the pirates discovered a disturbing security vulnerability, experts warned.
“This seems to be part of a stealth operation to assemble a distributed network of stolen door devices – potentially laying the basics of a future botnet,” noted the researchers in Greynoise cybersecurity, who first spotted the attacks in mid -March 2025.
Using SIFT (the Greynoise network analysis analysis tool) and a fully emulated ASUS router profile operating in the Greynoise overall observation grid, the researchers determined that the threat actors first collapsed from the routers with a brute force and an authentication bypass.
Advanced operations
These poorly configured routers were easy choices for attackers, who then made it to use a control injection defect to execute the system controls.
This defect is followed as CVE-2023-39780 and carries a gravity score of 8.8 / 10 (high).
Vulnerability was published for the first time in the National Vulnerability Database (NVD) on September 11, 2023, and since then Asus has published firmware updates to remedy it.
“The tactics used in this campaign – stealthy access, the use of the functionality of the integrated system for persistence and meticulous evidence of detection – comply with those observed in advanced and long -term operations, including activity associated with advanced persistent threat networks (APT) and operational relay networks (orb)”, explains Greynoise.
“Although Graynoise has made no award, the trade level suggests a well -resourced and very competent opponent.”
The attackers use the possibility of performing system commands, to install a stolen door which is stored in non -volatile memory (NVRAM).
This means that the access they establish survive both restarts and firmware updates. The attackers can maintain long-term access without abandoning the Malware to the stage or leave other obvious traces.
We do not know exactly how many devices are compromised, apart from that, there are “thousands”, the number “regularly increasing”.
