Asus Routers Targeted by Stealth Backdoor Attacks

Security researchers have uncovered a large-scale, stealthy backdoor campaign targeting home and small‐office Asus routers. The operation, tracked under the codename ViciousTrap, implants an SSH key that grants administrative access, survives firmware updates and reboots, and appears tied to a well-resourced threat actor—most likely a nation-state.

Overview of the ViciousTrap Campaign

First detected by GreyNoise in mid-March 2025, the campaign exploits multiple vulnerabilities—some never assigned CVE IDs—to install a public SSH key on compromised devices. GreyNoise has identified over 12,000 infected units worldwide, up from ≈9,000 in May. Network scans by Censys and Sekoia corroborate these figures.

Attack Mechanism and Technical Deep Dive

1. Initial Exploitation: Attackers chain authentication bypasses with vulnerabilities such as CVE-2023-39780 (command injection) and at least two other untracked flaws in ASUSWRT firmware. These vulnerabilities allow remote attackers to escalate processes to root.
2. SSH Key Implantation: Once root is achieved, a tailored RSA public key is appended to /etc/dropbear/authorized_keys or /etc/ssh/ssh_config, enabling SSH on port 53282 without altering user-visible services.
3. Persistence Mechanisms: Custom shell scripts hook into the boot process and the firmware-update routine. During an upgrade, the script re-injects the SSH key by patching the new firmware image in RAM before write.

This chaining avoids writing traditional malware binaries to flash storage, making forensic detection difficult and reducing wear on NOR/NAND chips.

Durability and Persistence: Firmware Resurrection Explained

The backdoor’s resilience hinges on abusing legitimate ASUSWRT features. By leveraging the built-in auto-restore and configuration-rollover modules, the attacker ensures that even after an official firmware update or factory reset, the malicious script runs early in the init sequence. GreyNoise reverse-engineered the attacker’s patch, revealing a two-stage loader that patches initramfs in memory and reinstates the unauthorized SSH key immediately after kernel launch.

Global Impact and Latest Detection Metrics

• Countries most affected: Brazil, India, United States, Vietnam, Russia.
• Top compromised models: DSL-AC88U, RT-AC68U, RT-AX58U, and more recent Wi-Fi 6 routers.
• Infection growth rate: Approximately 500 devices per week since March 2025.

No malicious payloads beyond the SSH key have been observed, suggesting preparatory stages for a larger botnet or targeted espionage.

Mitigation Strategies and Best Practices

1. Upgrade Firmware: Immediately apply the latest ASUSWRT updates from the official website or auto-update system.
2. Audit SSH Settings: In the router GUI, verify that only ports 22 or 2222 are enabled for SSH and remove any unknown public keys.
3. Review Logs: Check system.log for connections from known malicious IPs (e.g., 101.99.91.151, 111.90.146.237).
4. Implement Network Segmentation: Place IoT and non-critical devices on separate VLANs to limit lateral movement.

For enterprise and advanced home users, replacing consumer routers with open-source firmware (e.g., OpenWRT) and enrolling devices in network monitoring platforms can further reduce risk.

Expert Commentary and Future Outlook

Dr. Elena Martinez, senior research scientist at CyberGuard Labs, notes: “This campaign signals a shift toward supply-chain style persistence. We expect similar techniques in other leading router brands.”

Kevin O’Leary, network security lead at SecureNet, adds: “Nation-state actors are investing heavily in firmware-level implants. Detection will require firmware integrity verification and zero-trust network principles.”

As IoT devices proliferate and support for legacy router models dwindles, users must remain vigilant and adopt robust security hygiene. The ViciousTrap operation may well be a harbinger of future large-scale firmware attacks on consumer hardware.