Security researchers say thousands of Asus routers have been compromised by a suspected China-state group in an operation named WrtHug, focusing on seven router models that are no longer supported by the vendor.
The attackers appear to target devices past end-of-life, meaning they no longer receive security patches. SecurityScorecard says the activity spans Taiwan and clusters in South Korea, Japan, Hong Kong, Russia, central Europe, and the United States.
Experts say the operation could be used for espionage rather than overt disruption, drawing comparisons to ORB networks used to conceal attackers’ identities.
There is currently no confirmed post-exploit payload, but researchers warn that compromised routers may be repurposed for future operations, highlighting the persistent risk posed by consumer hardware.
To check if you’re affected, inspect the router’s admin TLS certificate. A self-signed certificate with an expiry year such as 2122 is a red flag. If you own an end-of-life Asus model, consider replacing it and disabling services like AICloud, remote administration, SSH, UPnP, and port forwarding. Models cited by researchers include DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP.
