> Back to All Posts

AyySSHush Botnet Hacks ASUS Routers to Add SSH Backdoor

AyySSHush Botnet

The newly discovered AyySSHush botnet campaign has silently compromised over 9,000 ASUS routers, installing a persistent SSH backdoor using a series of sophisticated and stealthy techniques. The campaign highlights a growing threat to home and small office routers, leveraging legitimate features to maintain control, all without deploying traditional malware.

Security researchers at GreyNoise uncovered the campaign in mid-March 2025, but the operation has likely been active for months. The scale, stealth, and sophistication of the attack suggest the work of a highly capable, possibly nation-state-backed, threat actor.

What Happened?

The AyySSHush campaign targets specific ASUS router models, including the RT-AC3100, RT-AC3200, and RT-AX55. These models are commonly used in home and small office settings, making them attractive targets for attackers seeking widespread, low-profile footholds.

The attackers also appear to be probing and exploiting other SOHO routers from vendors such as Cisco, D-Link, and Linksys, indicating the campaign’s broader scope.

Despite the scale (over 9,000 confirmed compromised devices) GreyNoise observed only 30 malicious requests over a three-month period, underscoring the operation’s stealth.

How the Attack Works

The attackers employ multiple vectors to compromise devices:

Brute-Force Credential Attacks

They begin with brute-force attempts to guess router login credentials, capitalizing on weak or unchanged default passwords.

Authentication Bypass

In some cases, the attackers use techniques that circumvent standard login processes entirely, though details on these methods remain undisclosed.

Exploiting CVE-2023-39780

The primary vulnerability exploited is CVE-2023-39780, a command injection flaw in ASUS firmware. This critical vulnerability allows remote attackers to execute arbitrary commands on vulnerable devices.

A Persistent and Malware-Free Backdoor

What sets this campaign apart is its persistence and stealth:

  1. Once compromised, the router’s SSH daemon is reconfigured to listen on TCP port 53282 instead of the default.
  2. The attacker’s SSH public key is added to the router, enabling passwordless remote access.
  3. These changes are made using legitimate ASUS features, not injected malware, which allows them to survive reboots and firmware upgrades.
  4. To avoid detection, logging is disabled, and Trend Micro’s AiProtection security feature is turned off.

This malware-free approach makes the attack incredibly difficult to detect and remove without a full inspection or factory reset.

Why This Attack Is So Concerning

The AyySSHush campaign is alarming for several reasons:

  • Persistence: Most router malware is wiped by reboots or firmware updates. This backdoor isn’t.
  • Legitimate Tools: By using built-in features, the attackers avoid triggering traditional malware detection tools.
  • Stealth: Minimal malicious traffic makes the campaign easy to overlook.
  • Targeting SOHO Devices: Home and small office routers often lack the robust monitoring and patching of enterprise equipment.
  • State-Actor Potential: While attribution is still uncertain, the campaign’s sophistication suggests possible nation-state involvement.

What Should ASUS Router Owners Do?

If you own one of the affected ASUS models, or any SOHO router, we advise you to take the following steps immediately:

Update Firmware

Install the latest firmware version for your device. ASUS has likely patched the vulnerability (CVE-2023-39780), so updating closes the door to new intrusions.

Check for Unauthorized SSH Access

Log in to your router’s admin panel.

Check if SSH is enabled and listening on port 53282.

Review the authorized SSH keys — if you see unfamiliar ones, your router may be compromised.

Perform a Factory Reset

If you susperct any compromise, do a full factory reset to purge unauthorized configurations.

Reconfigure with Best Practices

Use strong, unique passwords.

Disable remote access features if not required.

Enable firewalls and intrusion detection features if available.

Monitor Network Activity

Keep an eye out for unusual traffic or unknown devices on your network. Regularly audit your router’s logs (if you didn’t disable logging).

SOHO Routers as a Growing Target

This campaign is part of a broader trend where threat actors increasingly target consumer-grade and small office networking devices. These routers are often under-patched, misconfigured, or simply forgotten, making them low-hanging fruit for cybercriminals and advanced persistent threats alike.

The AyySSHush botnet shows just how much damage it can do without malware, simply by using the tools provided by the device itself.

Final Thoughts

The AyySSHush botnet is a wake-up call for both consumers and manufacturers. For users, it’s a reminder that routers need regular updates and security attention, just like your phone or computer. For vendors, it’s a prompt to implement stronger safeguards around configuration persistence, logging, and admin access.

As routers continue to be an entry point for larger network intrusions, vigilance and proactive defense are essential. If you haven’t checked your router’s settings lately, now would be a good time.

 

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.