A sophisticated cyber campaign is silently compromising thousands of ASUS home and small office routers, installing a stealthy backdoor that grants attackers persistent access—even after reboots or firmware updates. The operation is believed to be carried out by a nation-state or similarly well-funded adversary.

How the Attack Works

Researchers from security firm GreyNoise discovered that the attackers are exploiting multiple router vulnerabilities—some of which were never assigned a CVE (Common Vulnerabilities and Exposures) identifier. Once inside, they install a public SSH key, granting them full administrative access through port 53282. Anyone in possession of the corresponding private key can log in undetected with elevated privileges.

This method gives attackers long-term control without traditional malware and leaves almost no obvious trace. The backdoor survives reboots and firmware updates by chaining authentication bypasses with configuration abuse.

Scale and Intent

So far, approximately 9,000 routers have been identified as compromised, and that number is growing. There’s no indication yet that the devices are being actively used in attacks—but this appears to be part of a broader effort to quietly build a base of infected systems, possibly for future operations like botnets, espionage, or supply chain attacks.

The campaign was first observed in mid-March and overlaps with a similar incident reported by Sekoia, which linked the activity to a threat group tracked as ViciousTrap. Public scanning data suggests as many as 9,500 ASUS routers may be affected globally with more being detected daily.

Key Technical Details

  • Exploited CVE: CVE-2023-39780 (command injection flaw), among others.

  • SSH Port Used: 53282

  • Persistent Key: Begins with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVF...

  • Suspicious IPs:

    • 101.99.91[.]151

    • 101.99.94[.]173

    • 79.141.163[.]179

    • 111.90.146[.]237

What Users Should Do

If you’re using an ASUS router—or any internet-facing router—take the following steps immediately:

  • Inspect your SSH configuration for unauthorized keys or non-standard ports.

  • Check system logs for suspicious access from the IPs listed above.

  • Update firmware to the latest version available from ASUS.

  • Remove any unrecognized SSH keys and restore default port settings.

For small businesses relying on consumer-grade networking gear, this is a wake-up call: you may be exposed without even knowing it. At Cost+, we recommend regular firmware patching, network monitoring, and migrating to business-class network appliances with managed security support.

Schedule Your Free Security Check Today

If you’re unsure whether your routers are secure—or need help evaluating your network for hidden vulnerabilities—schedule a free cybersecurity assessment with our team today.