Check your ASUS router for a hidden hack that survives reboots & updates

Asus Router Users, Be Aware of Hidden Hack Campaign

Users relying on Asus routers may still be exposed to a stealth backdoor campaign, even after updating firmware. According to cybersecurity firm GreyNoise, the campaign persists even after firmware updates. The firm disclosed its findings May 28 after coordinating with government and industry partners.

GreyNoise first discovered the campaign March 18, 2025, using its AI-powered network analysis tool, Sift. The system flagged anomalous HTTP POST requests targeting internet-facing Asus routers running factory firmware. The affected routers include the popular RT-AC3100, RT-AC3200, and RT-AX55 models.

Follow-up inspection revealed a discreet intrusion campaign that had avoided detection for months. Attackers used weak credentials and two authentication bypasses to access the system. Next, they exploited the patched Asus router vulnerability CVE-2023-39780 to execute commands. Instead of installing malware, they enabled SSH access on port 53282 using legitimate Asus settings and installed their SSH public key.

The changes were written to non-volatile memory, meaning the backdoor survives firmware updates and reboots. Logging was disabled before persistence was established, allowing the attack to fly under the radar. Advanced stealth suggests long-term planning by the attackers.

GreyNoise hasn't attributed the campaign to a specific group, but said the level of tradecraft is consistent with advanced persistent threat actors. The infrastructure appears designed for durable access, possibly as part of a broader command-and-control or relay network.

According to scanning data from Censys, more than 9,000 Asus routers showed signs of compromise as of May 27, with the number continuing to climb. IP indicators of compromise are available.

What Can You Do to Stay Safe?

GreyNoise recommends the following immediate actions for Asus router owners:

  • Check for SSH access on port TCP/53282
  • Review the authorized_keys file for unknown entries
  • Block the following IPs associated with the attack: 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237
  • If compromise is suspected, perform a full factory reset and reconfigure the device manually.
  • Regularly update your router's firmware to stay protected against known vulnerabilities
  • Disable remote management if you don't need access from outside your local network.
  • Persistently audit your router settings to identify unknown SSH keys, open ports, or unfamiliar configurations
  • Implement a network firewall, even a simple one, to block suspicious inbound and outbound traffic
  • Check manufacturer advisories from companies like Asus for updates or alerts about active threats

By following these best practices, you can significantly reduce your risk of router compromise.