Ddos 
GreyNoise has revealed a stealthy, long-running exploitation campaign targeting thousands of ASUS routers, laying the foundation for what may become a botnet. The attackers have achieved persistent, unauthorized access without relying on malware — and in a way that survives reboots and even firmware updates.
“This appears to be part of a stealth operation to assemble a distributed network of backdoor devices,” GreyNoise warns.
The campaign was first identified by Sift, GreyNoise’s proprietary AI-powered payload analysis tool. On March 17, 2025, Sift flagged just three anomalous HTTP POST requests to ASUS router endpoints. These faint signals, buried within global traffic, were enough to trigger an investigation that unraveled a broader, more insidious campaign.
“Without emulated profiles and deep inspection, this attack would likely have remained invisible,” GreyNoise states.
GreyNoise researchers used fully emulated ASUS router profiles running factory firmware to replicate the attack, inspect the backdoor mechanism, and assess its persistence. This rigorous approach revealed the exploitation sequence and confirmed the attackers’ ability to gain long-term access.
The attack follows a multi-step exploitation chain that reflects advanced knowledge of ASUS systems and a meticulous focus on stealth:
- Initial Access: Brute-force login attempts and two undocumented authentication bypasses (no CVEs assigned) allow initial compromise.
- Command Execution: Attackers exploit CVE-2023-39780, a command injection vulnerability, to run arbitrary commands on the router.
- Persistence
- Legitimate ASUS features are used to:
- Enable SSH access on a custom port (TCP/53282).
- Insert an attacker-controlled SSH public key.
- The configuration is stored in non-volatile memory (NVRAM) — surviving firmware upgrades and device reboots.
- Legitimate ASUS features are used to:
- Stealth
- Logging is disabled before persistence is established.
- No malware is installed, and no forensic footprint is left behind.
“The attacker maintains long-term access without dropping malware or leaving obvious traces… abusing legitimate configuration features.”
As of May 27, 2025, Censys data confirmed that nearly 9,000 ASUS routers had been compromised — with the number still climbing. While Censys shows which assets are exposed to the internet, GreyNoise reveals which of those are actively targeted or exploited.
“GreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating.”
The threat actors appear to be building a foundation for operational relay box (ORB) networks — infrastructure commonly associated with Advanced Persistent Threat (APT) groups.
“While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”
ASUS has patched CVE-2023-39780 and addressed the undocumented login bypass techniques in recent firmware updates. However, routers compromised before patching remain vulnerable unless SSH settings are manually reviewed.
GreyNoise recommends:
- Scan for SSH access on TCP port 53282.
- Inspect the authorized_keys file for unauthorized entries.
- Block the associated IP addresses.
- If compromise is suspected, perform a full factory reset and reconfigure manually.
Donate