A sophisticated cyber campaign is silently compromising thousands of ASUS home and small office routers, installing a stealthy backdoor that grants attackers persistent access—even after reboots or firmware updates. The operation is believed to be carried out by a nation-state or similarly well-funded adversary.

How the Attack Works

Researchers from security firm GreyNoise discovered that the attackers are exploiting multiple router vulnerabilities—some of which were never assigned a CVE (Common Vulnerabilities and Exposures) identifier. Once inside, they install a public SSH key, granting them full administrative access through port 53282. Anyone in possession of the corresponding private key can log in undetected with elevated privileges.

This method gives attackers long-term control without traditional malware and leaves almost no obvious trace. The backdoor survives reboots and firmware updates by chaining authentication bypasses with configuration abuse.

Scale and Intent

So far, approximately 9,000 routers have been identified as compromised, and that number is growing. There’s no indication yet that the devices are being actively used in attacks—but this appears to be part of a broader effort to quietly build a base of infected systems, possibly for future operations like botnets, espionage, or supply chain attacks.

The campaign was first observed in mid-March and overlaps with a similar incident reported by Sekoia, which linked the activity to a threat group tracked as ViciousTrap. Public scanning data suggests as many as 9,500 ASUS routers may be affected globally with more being detected daily.

Key Technical Details

• Exploited CVE: CVE-2023-39780 (command injection flaw), among others.

• SSH Port Used: 53282

• Persistent Key: Begins with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVF...

• Suspicious IPs:

  • 101.99.91[.]151

  • 101.99.94[.]173

  • 79.141.163[.]179

  • 111.90.146[.]237

What Users Should Do

If you’re using an ASUS router—or any internet-facing router—take the following steps immediately:

• Inspect your SSH configuration for unauthorized keys or non-standard ports.

• Check system logs for suspicious access from the IPs listed above.

• Update firmware to the latest version available from ASUS.

• Remove any unrecognized SSH keys and restore default port settings.

For small businesses relying on consumer-grade networking gear, this is a wake-up call: you may be exposed without even knowing it. At Cost+, we recommend regular firmware patching, network monitoring, and migrating to business-class network appliances with managed security support.

Schedule Your Free Security Check Today

If you’re unsure whether your routers are secure—or need help evaluating your network for hidden vulnerabilities—schedule a free cybersecurity assessment with our team today.

A new tactic is turning trusted collaboration tools into delivery channels for malicious links and impersonation attempts.

The threat is coming from inside the organization

Microsoft Teams has become a core communication platform for businesses, replacing much of what used to take place over email. But attackers are now using this trust to their advantage—sending phishing links and malicious files from inside Teams itself.

In these attacks, cybercriminals gain access to a legitimate Microsoft 365 account—often through credential theft or infostealer malware—and then use that account to message coworkers through Teams. Because the message comes from a trusted internal user, the link is often clicked without hesitation.

Why these attacks are harder to detect

Unlike email, Teams messages are not subject to the same filtering or inspection by traditional security gateways. Most organizations trust internal Teams traffic by default. That makes it easier for attackers to deliver malicious payloads or redirect users to fake login pages without triggering alerts.

These messages are often simple: “Can you review this doc?” or “Is this invoice correct?” They rely on speed, familiarity, and the casual tone of chat communication to lower defenses.

What businesses can do right now

Start by treating Micrisoft Teams as an extension of your threat surface. If your organization uses Microsoft 365, verify that Teams is included in your security monitoring stack and that audit logging is enabled.

Security policies should be updated to include messaging platforms—not just email. Users should be trained to question unexpected links or file shares, even if they come from colleagues. Where possible, use conditional access policies to limit risky login behavior, and enable multifactor authentication across all accounts.

While Teams offers productivity benefits, it also creates a pathway for lateral movement once an attacker is inside your environment. Treating chat traffic as inherently trustworthy is no longer a safe assumption.

By Thomas McDonald
Vice President

A look at how cybercriminals are turning QR codes into credential traps (qr code phishing)—and what businesses can do to reduce exposure.

A familiar tool is being weaponized

QR codes have become a routine part of daily business. They’re used for contactless check-ins, payment processing, document access, and marketing materials. But the convenience that makes QR codes so widely adopted also makes them exploitable.

Threat actors are now embedding malicious links in QR codes—both in emails and in physical materials like posters, mailers, and fake notices. The goal is simple: direct users to a spoofed login page that captures their credentials, often under the guise of document sharing, payment confirmation, or identity verification.

What makes QR-based phishing effective

Unlike traditional phishing emails, QR code attacks don’t contain visible links or attachments. Users scan them with personal mobile devices, which often lack corporate security tools. This bypasses many of the protections in place on company-managed desktops and laptops.

Attackers rely on urgency, familiarity, and poor verification habits. A code may appear in a building lobby, a parking ticket, a service renewal notice, or even as a response to a job application. These tactics exploit environments where people are least likely to question what they’re scanning.

How businesses can reduce risk

Organizations should begin by educating staff on QR-related risks. Employees should be taught to avoid scanning codes from unfamiliar or unverified sources, especially those urging immediate action.

IT teams can take further steps by restricting access to personal devices on the corporate network and reviewing how QR codes are used in internal processes, signage, and customer-facing materials.

In environments with mobile device management (MDM), policies can be configured to scan or isolate web activity initiated from QR codes. For highly targeted industries—legal, healthcare, finance—physical security and visual signage policies should be reviewed, especially in shared or public-facing spaces.

The threat is low-tech in appearance but high-impact in execution. Training and operational vigilance are key.

Have questions? Contact us. We’re happy to help.

By Thomas McDonald
Vice President

A closer look at how credential theft is reshaping BEC attacks and what businesses need to do now to stay ahead.

Attacks are no longer limited to spoofed emails

Business Email Compromise (BEC) used to rely on tricking users with fake invoice requests or urgent emails from impersonated executives. While those tactics still exist, the landscape is shifting.

Attackers are increasingly using infostealer malware—lightweight programs that quietly extract saved browser credentials, cookies, and tokens. Once installed, even briefly, these tools give attackers access to real email accounts, often without triggering alarms.

The result is a growing wave of BEC attacks that don’t spoof anyone—they use actual inboxes.

What’s happening behind the scenes

Infostealer logs are bought and sold on dark web marketplaces. They include usernames, passwords, session cookies, and autofill data harvested from infected machines—often without detection. Once attackers gain access to a business email account, they monitor conversations, create hidden inbox rules, and impersonate internal stakeholders or vendors to redirect payments or initiate fraudulent transfers. These messages originate from real accounts, making them far harder to detect than traditional spoofing attempts.

Why this matters now

The surge in infostealer use has created a supply chain of compromise: initial infection, credential resale, and ultimately a targeted BEC attack. Many businesses discover the problem only after money is lost, a vendor relationship is damaged, or legal exposure surfaces.

Traditional email security filters don’t stop this. Once credentials are stolen, attackers bypass filtering entirely by logging in directly. While multifactor authentication (MFA) can help, inconsistent enforcement and token-based session hijacking can reduce its effectiveness.

What organizations should do next

Organizations should begin by enforcing MFA across all cloud platforms and user accounts. Endpoint tools should be in place to detect infostealer activity, such as unauthorized file access or suspicious outbound connections. It’s also important to review mailbox rules for any unexpected forwarding or folder manipulation, and to disable legacy protocols like IMAP and POP3, which are often exploited in these attacks.

Teams should also consider monitoring for dark web exposure or working with vendors who alert them when their credentials appear in breach data. The earlier a compromise is detected, the better the chances of avoiding a full-blown attack.