Unattributed operators campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The Operation WrtHug campaign is hijacking ASUS WRT routers worldwide by exploiting six vulnerabilities and abusing AiCloud, creating a large pool of compromised devices that can be reused for follow-on access. Researchers tied the activity to roughly 50,000 unique IPs across Taiwan, Southeast Asia, Russia, Central Europe, and the United States. The scope matters because many affected devices are end-of-life or outdated and may remain open to further takeover if they are not patched or replaced.
Related Happenings
Tenda firmware hidden admin backdoor security flaw (CVE-2026-11405)
Vulnerability
H score33
First: 07.07.2026 09:40
Last: 07.07.2026 09:40
Sources 1
About this happening:
An **undocumented authentication backdoor** in **Tenda firmware** now exposes multiple router builds to **full administrative takeover without valid credentials**. The flaw is tra...
Tenda firmware hidden admin backdoor security flaw (CVE-2026-11405)
VulnerabilityAbout this happening: An **undocumented authentication backdoor** in **Tenda firmware** now exposes multiple router builds to **full administrative takeover without valid credentials**. The flaw is tra...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
Motherboard firmware updates for UEFI DMA flaw (ASUS, Gigabyte, MSI, ASRock)
Security Patch Release
H score16
First: 19.12.2025 17:54
Last: 19.12.2025 17:54
Sources 1
About this happening:
**ASUS**, **Gigabyte**, **MSI**, and **ASRock** issued **security bulletins** and **firmware updates** for impacted **motherboard models** after a disclosed **UEFI DMA flaw** expo...
Motherboard firmware updates for UEFI DMA flaw (ASUS, Gigabyte, MSI, ASRock)
Security Patch ReleaseAbout this happening: **ASUS**, **Gigabyte**, **MSI**, and **ASRock** issued **security bulletins** and **firmware updates** for impacted **motherboard models** after a disclosed **UEFI DMA flaw** expo...
ASUS AiCloud routers firmware patch release (CVE-2025-59366 and others)
Security Patch Release
H score36
First: 26.11.2025 13:41
Last: 26.11.2025 13:41
Sources 1
About this happening:
**ASUS** released **new firmware** for **AiCloud-enabled routers** to fix **nine vulnerabilities**, including **CVE-2025-59366**, a **critical authentication bypass** that can let...
ASUS AiCloud routers firmware patch release (CVE-2025-59366 and others)
Security Patch ReleaseAbout this happening: **ASUS** released **new firmware** for **AiCloud-enabled routers** to fix **nine vulnerabilities**, including **CVE-2025-59366**, a **critical authentication bypass** that can let...
ASUS AiCloud routers critical authentication bypass (CVE-2025-59366)
Vulnerability
H score37
First: 26.11.2025 13:41
Last: 26.11.2025 13:41
Sources 1
About this happening:
**CVE-2025-59366** is a **critical authentication bypass** in **ASUS AiCloud-enabled routers** that can let remote, unauthenticated attackers execute functions without proper auth...
ASUS AiCloud routers critical authentication bypass (CVE-2025-59366)
VulnerabilityAbout this happening: **CVE-2025-59366** is a **critical authentication bypass** in **ASUS AiCloud-enabled routers** that can let remote, unauthenticated attackers execute functions without proper auth...
Timeline
-
19.11.2025 16:35 2 articles · 7mo ago
Operation WrtHug affects ASUS WRT routers worldwide
Campaign Scope UpdateSecurityScorecard STRIKE identified Operation WrtHug as a global campaign hijacking thousands of ASUS WRT routers, mostly end-of-life or outdated devices, by exploiting CVE-2025-2492 and other ASUS command-injection flaws. Scanners found roughly 50,000 unique IPs across Taiwan, Southeast Asia, Russia, Central Europe, and the United States, and ASUS has issued security updates for the leveraged vulnerabilities while advising router owners to upgrade firmware, replace unsupported devices, or disable remote access features.
Show sources
- New WrtHug campaign hijacks thousands of end-of-life ASUS routers — www.bleepingcomputer.com — 19.11.2025 16:35
- New WrtHug campaign hijacks thousands of end-of-life ASUS routers — www.bleepingcomputer.com — 19.11.2025 16:35