Thousands of ASUS Routers Compromised in Global Cyberattack

A stealthy cyberattack has compromised over 9,000 ASUS routers worldwide, granting attackers persistent control over these devices, as discovered by cybersecurity firm GreyNoise.

The attackers employed advanced techniques to infiltrate ASUS routers, achieving access that persists even after device reboots and firmware updates. By exploiting known vulnerabilities and leveraging legitimate configuration features, they maintained control without deploying traditional malware, making detection exceedingly difficult.

GreyNoise’s investigation revealed that the attackers used a combination of authentication bypasses and system feature abuses to establish a durable foothold. This level of sophistication suggests involvement by a well-resourced and highly capable adversary, possibly linked to advanced persistent threat (APT) groups.

The compromised routers appear to be part of a larger effort to assemble a distributed network of backdoor devices, potentially forming a botnet. Such networks can be used for various malicious activities, including launching distributed denial-of-service (DDoS) attacks, distributing malware, or facilitating espionage operations.

This incident is reminiscent of previous campaigns like TheMoon and Cyclops Blink, which also targeted ASUS routers to create proxy networks for cybercriminal activities.

ASUS has acknowledged the vulnerabilities exploited in this campaign and has released firmware updates to address them. Users are strongly advised to:

• Perform a full factory reset of their ASUS routers.
• Manually reconfigure the device settings.
• Install firmware updates released on or after May 27, 2025.
• Disable remote management features if not needed.

Cybersecurity experts emphasize the importance of regular firmware updates, strong authentication practices, and disabling unnecessary remote access features to safeguard against such threats.