Over 9,000 ASUS routers have been compromised by the “AyySSHush” botnet, which installs persistent SSH backdoors to maintain access. The campaign also targets SOHO routers from Cisco, D-Link, and Linksys, exploiting known vulnerabilities like CVE-2023-1389 (TP-Link) and CVE-2025-32756 (Fortinet)1. This attack highlights the risks of unpatched network devices in enterprise environments.
Botnet Tactics and Infrastructure
The AyySSHush botnet (also tracked as “Ballista”) uses dual malware payloads—Alogin and TheMoon—to establish persistence. It abuses legitimate services like telnet and microsocks proxy, with newer variants employing TOR-based command-and-control (C2) servers2. The botnet primarily targets ASUS RT-AC66U and AC68U routers, with infections concentrated in Brazil, Poland, and the UK3.
Attackers leverage compromised routers for SSH brute-forcing, data exfiltration, and as proxies for DDoS attacks. The NCSC-NL has published a scanner to detect ASUS router malware, available on GitHub4. GreyNoise analysis of 23 billion network entries confirms the botnet’s use of VPN features like ASUS’s VPN Fusion for persistence5.
Mitigation and Detection
Immediate actions include disabling remote access (SSH/telnet) and updating firmware using ASUS’s security advisory6. Long-term recommendations involve replacing end-of-life routers with VPN-capable alternatives like ExpressVPN Aircove. The following table summarizes key vulnerabilities exploited:
| CVE | Affected Devices | Patch Status |
|---|---|---|
| CVE-2023-1389 | TP-Link routers | Patched (verify firmware) |
| CVE-2025-32756 | FortiVoice systems | Urgent update required |
For network defenders, monitoring SSH login attempts and reviewing ASUS router configurations for unauthorized changes is critical. The NCSC-NL scanner can identify compromised devices through signature-based detection of known malware variants.
Broader Implications
This campaign demonstrates how botnets increasingly target SOHO devices as entry points into corporate networks. The abuse of VPN functionalities shows attackers adapting to common security measures. Organizations should implement layered defenses combining AI behavioral analysis with traditional signature-based tools7.
Recent developments include the botnet’s use of GSocket tooling, previously observed in Indonesian gambling campaigns to bypass firewalls8. This highlights the need for continuous monitoring of emerging TTPs across different threat actor groups.
Conclusion
The AyySSHush botnet represents a significant threat to organizations using vulnerable SOHO routers. Regular firmware updates, network segmentation, and monitoring of router configurations remain essential defenses. Security teams should prioritize reviewing ASUS router logs for signs of compromise and consider dedicated VPN router solutions for critical infrastructure.
References
- “Botnet hacks 9k ASUS routers,” BleepingComputer, [Online]. Available: https://www.bleepingcomputer.com/news/security/botnet-hacks-9k-asus-routers
- GreyNoise, “AyySSHush Botnet Analysis,” [Online]. Available: https://www.youtube.com/watch?v=oPKhkH33ilo
- NCSC-NL, “Consumer routers targeted by multiple botnets,” [Online]. Available: https://english.ncsc.nl/latest/weblog/2024/consumer-routers-targeted-by-multiple-botnets
- NCSC-NL, “ASUS Router Malware Scanner,” GitHub. [Online]. Available: https://github.com/NCSC-NL/asusrouter-malware-scan
- ASUS, “VPN Fusion Feature Guide,” [Online]. Available: https://www.asus.com/support/faq/1050842
- ASUS Security Advisory, [Online]. Available: https://www.asus.com/content/asus-product-security-advisory/
- Imperva, “GSocket Campaign Analysis,” [Online]. Available: https://www.imperva.com/blog/how-hackers-use-php-backdoors-and-gsocket-to-facilitate-illegal-gambling-in-indonesia
- “Best VPN for ASUS Router,” Cloudwards, [Online]. Available: https://www.cloudwards.net/best-vpn-for-asus-router
