A previously unknown botnet attack has been uncovered targeting Asus routers across the globe, compromising more than 9,000 devices using advanced stealth techniques that exploit system-level vulnerabilities. Dubbed ‘AyySSHush’, the attack allows long-term remote access to routers without deploying traditional malware—making it virtually undetectable through conventional cybersecurity measures.
First reported in March 2025 by cybersecurity firm GreyNoise, the attack abuses legitimate router features to embed itself deeply within device configurations. Even more concerning, the backdoor survives firmware upgrades and reboots, highlighting a new evolution in router-focused cyberwarfare that blends exploit precision with operational persistence.
Inside the Attack: Brute-Force, Backdoors, and Firmware Immunity
The campaign begins with brute-force login attempts and authentication bypasses targeting Asus routers running factory firmware. Once inside, attackers exploit CVE-2023-39780, a command injection vulnerability, to execute system-level commands. They then write persistent backdoor access into the router’s non-volatile memory (NVRAM)—a segment of memory that isn’t wiped during firmware upgrades or device reboots.
With control gained, attackers activate SSH access over an obscure port (TCP 53282) and insert their own public SSH keys, granting full remote command access. What makes the attack so stealthy is its use of native router functions combined with disabled system logging and AiProtection features, which ensure invisibility from both users and security tools.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
A Measured Attack: Sparse Signals, Massive Reach
Though over 9,000 routers are confirmed compromised, GreyNoise’s AI-powered detection tool Sift identified only 30 malicious HTTP POST requests over a span of three months, showing how little traffic the campaign generates—indicative of its careful design to avoid detection.
GreyNoise and Censys, a device-mapping platform, collaborated to confirm that these routers were exposed to the internet and actively manipulated. Censys mapped the vulnerable devices; GreyNoise determined which ones were actively exploited. Their combined intelligence reveals a sobering portrait of how attackers now prefer longevity over velocity—embedding and watching quietly rather than overwhelming systems with noise.
Asus Responds: Firmware Patch Falls Short
In response, Asus has issued a firmware update addressing CVE-2023-39780 and some login bypass techniques. However, the company admits that the patch cannot eliminate the SSH-based backdoor already embedded into the device’s memory.
Cybersecurity experts now advise users to perform full factory resets and manually:
- Check for SSH access on port 53282
- Review the authorised_keys file
- Block any suspicious IP addresses linked to the campaign
“Firmware updates won’t save you this time,” said a GreyNoise analyst. “Once the attacker has written into non-volatile memory, it’s like they’ve etched themselves into the device.”