![[The AI Show Episode 150]: AI Answers: AI Roadmaps, Which Tools to Use, Making the Case for AI, Training, and Building GPTs](https://www.marketingaiinstitute.com/hubfs/ep%20150%20cover.png)
![[The AI Show Episode 149]: Google I/O, Claude 4, White Collar Jobs Automated in 5 Years, Jony Ive Joins OpenAI, and AI’s Impact on the Environment](https://www.marketingaiinstitute.com/hubfs/ep%20149%20cover.png)
![[DEALS] Mail Backup X Individual Edition: Lifetime Subscription (72% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Luis_Moreira_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_imageBROKER.com_via_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![This app turns your Apple Watch into a Game Boy [Hands-on]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/FI-Arc-emulator.jpg.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Google TV is finally preparing sleep timer support as app readies Material 3 Expressive [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/01/google-tv-logo.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=logo}
![Apple Shares Official Trailer for 'Smoke' Starring Taron Egerton [Video]](https://www.iclarified.com/images/news/97453/97453/97453-640.jpg)
![Apple's M4 Mac Mini Drops to $488.63, New Lowest Price Ever [Deal]](https://www.iclarified.com/images/news/97456/97456/97456-1280.jpg)
![iPhone 16 Becomes World's Best-Selling Smartphone in Q1 2025 [Chart]](https://www.iclarified.com/images/news/97448/97448/97448-640.jpg)
New Botnet Hijacks 9,000 ASUS Routers & Enables SSH Access by Injecting Public Key
A sophisticated botnet campaign dubbed “AyySSHush” has compromised over 9,000 ASUS routers worldwide, establishing persistent backdoor access that survives firmware updates and reboots. The stealthy operation, first detected in March 2025, demonstrates advanced nation-state-level tradecraft by exploiting authentication vulnerabilities and legitimate router features to maintain long-term control without deploying traditional malware. Attack Chain Exploiting ASUS […] The post New Botnet Hijacks 9,000 ASUS Routers & Enables SSH Access by Injecting Public Key appeared first on Cyber Security News.
A sophisticated botnet campaign dubbed “AyySSHush” has compromised over 9,000 ASUS routers worldwide, establishing persistent backdoor access that survives firmware updates and reboots.
The stealthy operation, first detected in March 2025, demonstrates advanced nation-state-level tradecraft by exploiting authentication vulnerabilities and legitimate router features to maintain long-term control without deploying traditional malware.
Attack Chain Exploiting ASUS Routers
The attackers employ a multi-stage exploitation technique that begins with brute-force login attempts against ASUS router interfaces, followed by leveraging two previously undisclosed authentication bypass vulnerabilities.
Once privileged access is obtained, the threat actors exploit CVE-2023-39780, an authenticated command injection flaw in ASUS router firmware, to execute arbitrary system commands.
The critical payload exploits the oauth_google_refresh_token parameter through a POST request to /start_apply.htm, injecting the command touch /tmp/BWSQL_LOG to enable Bandwidth SQL logging features.
This manipulation creates an attack vector through vulnerable functions in the router’s bwsdpi_sqlite binary that pass user-controlled data directly to system() calls.
The attackers then enable SSH access on the non-standard TCP port 53282 and inject their public SSH key (truncated):
This configuration change persists across firmware upgrades because it utilizes official ASUS settings stored in non-volatile memory (NVRAM).
GreyNoise’s discovery was made possible through their AI-powered threat hunting tool called “Sift,” which flagged just three anomalous HTTP POST requests among millions of daily internet traffic patterns.
The campaign’s stealth is remarkable – only 30 malicious requests were detected across three months despite compromising thousands of devices.
Sift identified the suspicious activity using advanced machine learning techniques, including custom-built Large Language Models (LLMs), nearest neighbor search, and unsupervised clustering to detect payloads targeting ASUS RT-AC3100 and RT-AC3200 routers with factory configurations.
Four IP addresses have been identified as indicators of compromise:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
Immediate Action Required
The campaign represents a significant security threat as the backdoor access cannot be removed through standard firmware updates.
ASUS has released patches addressing CVE-2023-39780, but devices compromised prior to patching retain the malicious SSH configuration. The attackers deliberately disable logging and TrendMicro AiProtection features to avoid detection.
Security experts recommend immediately checking ASUS routers for unauthorized SSH services on TCP port 53282 and reviewing authorized_keys files for the attacker’s public key.
Organizations should block the identified malicious IP addresses and perform factory resets on suspected compromised devices, followed by complete reconfiguration with strong authentication credentials.
The sophistication and persistence of this campaign suggest potential links to advanced persistent threat (APT) groups utilizing operational relay box (ORB) networks for long-term strategic objectives.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
The post New Botnet Hijacks 9,000 ASUS Routers & Enables SSH Access by Injecting Public Key appeared first on Cyber Security News.
.png?#)
