More than 9,000 Asus Wi-Fi 6 routers have been compromised by a new botnet called AyySSHush, which leaves a backdoor in the devices even after firmware updates. This attack gives attackers unfettered remote access to the routers.
GreyNoise researchers reported that hackers are cracking Asus RT-AX55 routers using a combination of brute force, known authentication flaws, and the CVE-2023-39780 exploit. The attackers enable SSH on the non-standard port TCP/53282, add their public key, and disable logging. This backdoor remains in NVRAM, so it survives both device updates and reboots. Although Asus has already released a patch, it does not clean already infected devices.
The first signs of suspicious activity were recorded on March 17, 2025. The activity correlates with the actions of the ViciousTrap hacking group, which was identified by Sekoia on May 22. The group attacks network devices worldwide, except for China, which probably indicates a Chinese footprint. GreyNoise sensors have registered only 30 requests in three months, which indicates a high level of concealment.
Experts urge owners of Asus routers to immediately update the firmware, check the operation of SSH, clean the authorized_keys file, and in case of suspicious signs, perform a full reset. Avoid activating remote control functions without urgent need. AyySSHush is probably just the first stage of forming a new botnet for future DDoS attacks or proxy connections.
