Asus Routers Under Siege: AyySSHush Botnet Unleashes Digital Havoc

Asus routers have become the latest stars of a new botnet, AyySSHush, aiming to disable Trend Micro security features. GreyNoise discovered this drama in March, revealing an advanced adversary exploiting vulnerabilities for backdoor access. Even firmware updates won’t erase the mischief, leaving users with a factory reset as their encore.

3P
Published: May 29, 2025 4:38 pmAdded: May 29, 2025 at 10:10 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like Asus routers have taken a vacation to Botnet Island where they sip on their Trend Micro-flavored security cocktails while the AyySSHush botnet throws a wild party! Who knew routers could get up to such mischief? If only they came with a “No Unauthorized Partying” setting!

Key Points:

  • A new botnet, AyySSHush, targets Asus routers, exploiting vulnerabilities for backdoor access.
  • GreyNoise discovered over 8,000 infected routers but delayed public disclosure to work with authorities.
  • The botnet disables security features like Trend Micro’s AiProtection to remain undetected.
  • Attackers exploit old authentication bypass bugs and a specific vulnerability (CVE-2023-39780).
  • Updating firmware alone won’t remove the backdoor, users may need to perform a factory reset.

Router Rave: The AyySSHush Edition

Asus routers are living their best lives, apparently hosting a botnet bash courtesy of the AyySSHush gang. These routers aren’t just sitting pretty on your shelf; they’re busy disabling the very security features meant to protect them. Trend Micro’s AiProtection? More like Ai-ByeProtection. The botnet’s been working hard since March, and with over 8,000 routers under its spell, it seems like they’re having a grand old time.

GreyNoise’s Slow Reveal: Like A Fine Wine

GreyNoise might be the Sherlock Holmes of the cyber world, but even they needed a few months to gather their thoughts and share the juicy details on AyySSHush. You can’t rush a good investigation, especially when you’re working with governments and industry partners. This botnet business is serious stuff, but at least we get to appreciate the artistry of these cyber criminals. Well-resourced and advanced, they rival the greats! Move over, Oceans 11, it’s time for Botnets 8,000.

Botnet Engineering: A Masterclass in Persistence

These cyber ne’er-do-wells are all about the oldies but goodies, exploiting authentication bypass bugs that might’ve been gathering dust. They’re like the hipsters of cybercrime, bringing back the classics with a twist. With CVE-2023-39780 as their secret sauce, they’re running arbitrary commands like it’s nobody’s business. Forget the latest firmware updates; these guys are making sure their party never ends.

Security Features? More Like Security Suggestions

Once the botnet’s in, it’s like a bad roommate that just won’t leave. Disabling logging and AiProtection is just the tip of the iceberg. By adding an attacker-controlled public key, they ensure exclusive SSH access. It’s like they’ve built their own secret passage straight into your router’s heart. And because they’ve gone through official channels—using Asus features—this backdoor sticks around through firmware upgrades. Talk about commitment!

Similar Yet Different: The ViciousTrap Connection

While GreyNoise was busy decoding AyySSHush, French researchers at Sekoia were on their own adventure, documenting something they dubbed ViciousTrap. This campaign, targeting SOHO routers, seems to share some similarities, though it casts a wider net with over 50 manufacturers in its sights. It’s like a cyber soap opera with overlapping plotlines, but one thing’s for sure: these attacks are no joke. Even the French are raising an eyebrow at what appears to be a Chinese-speaking origin story.

A Typhoon By Any Other Name

The mysterious attackers might just belong to one of Microsoft’s Typhoons—sounds like a band name, right? With Salt and Volt Typhoons already on the roster, AyySSHush could be the next big hit in this cybercrime rock band. GreyNoise has dropped hints, and the Typhoon naming convention suggests there’s a storm brewing in the cyber world.

Patch It Up, But Don’t Forget the Reset

Asus has patched the vulnerabilities, but alas, the SSH backdoor is a stubborn little bugger. Users are urged to look for signs of compromise, and if they’re feeling unsure, the good old factory reset might just be their best friend. It’s the equivalent of hitting the reset button on your entire digital life. If only it were that easy to reset 2020, right?

Asus, Are You There? It’s Me, The Register

The Register tried to get a word out of Asus, but it seems like their routers aren’t the only ones ghosting. No comment for now, but fingers crossed they’re working on a solution so we can all sleep a little easier at night. In the meantime, perhaps it’s best to keep an eye on your devices and maybe, just maybe, consider an upgrade. After all, who wants to host a botnet party without an invitation?

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?