The operation, detected through the company’s proprietary AI-powered analysis tool called Sift, represents a concerning escalation in router-based attacks that could serve as the foundation for a massive botnet infrastructure.
The attack campaign, which began in March 2025, has successfully compromised nearly 9,000 ASUS routers according to data from internet monitoring platform Censys.
What makes this operation particularly alarming is its stealth approach—GreyNoise sensors detected only 30 related requests across three months, demonstrating the attackers’ careful efforts to avoid detection while systematically building their network of compromised devices.
The discovery timeline reveals a coordinated response effort, beginning when GreyNoise’s Sift AI technology flagged anomalous traffic on March 17, 2025.
Researchers began investigating the following day, with disclosure initially deferred to coordinate with government and industry partners.
The findings align with similar discoveries announced by Sekoia on May 22, 2025, as part of their ‘ViciousTrap’ campaign research.
The attackers employ a sophisticated four-stage exploitation chain that demonstrates advanced technical knowledge of ASUS router systems.
Initial access is gained through brute-force login attempts combined with two authentication bypass techniques that currently lack assigned CVE identifiers.
Once inside, attackers leverage CVE-2023-39780, a command injection vulnerability, to execute arbitrary system commands on the compromised devices.
The persistence mechanism represents the most concerning aspect of this campaign. Attackers abuse legitimate ASUS router features to enable SSH access on a custom port (TCP/53282) and inject their own public SSH key into the system’s authorized_keys file.
Critically, this configuration is stored in the router’s non-volatile memory (NVRAM) rather than on disk, ensuring the backdoor survives firmware updates and device reboots.
The attackers also disable logging functions before establishing persistence, further reducing their chances of detection.
While ASUS has released firmware updates addressing CVE-2023-39780 and the authentication bypass techniques, the company’s patches do not automatically remove existing SSH configurations from previously compromised devices.
This means routers that were infected before updating will retain their backdoor access unless administrators manually review and remove unauthorized SSH keys.
Security researchers have identified four malicious IP addresses associated with this campaign: 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237.
Network administrators are advised to immediately block these addresses and check their ASUS routers for unauthorized SSH access on port 53282.
For organizations suspecting compromise, experts recommend performing a complete factory reset followed by manual reconfiguration rather than relying solely on firmware updates.
The sophisticated nature of this campaign, with its emphasis on stealth and persistence, suggests the involvement of well-resourced threat actors potentially building infrastructure for future large-scale operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post New Botnet Compromises 9,000 ASUS Routers by Injecting SSH Public Keys appeared first on Cyber Security News.
The Lord of the Rings director Peter Jackson has lamented the decline of physical media,…
Amazon Redshift users are facing a serious security risk after researchers uncovered a high-severity vulnerability…
A wave of critical security flaws in cPanel & WHM is putting millions of hosted…
Google has released a major Chrome security update, fixing 79 vulnerabilities in its Stable channel,…
A maximum-severity zero-day vulnerability in Cisco’s Catalyst SD-WAN platform is being actively exploited in the…
Account Takeover (ATO) attacks are one of the fastest-growing cyber threats targeting businesses and individuals…
This website uses cookies.