Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Ongoing Botnet Campaign Targeting ASUS Routers
Alerts

Ongoing Botnet Campaign Targeting ASUS Routers

2 June 2025

There are reports of an ongoing botnet campaign targeting ASUS routers to deploy persistent Secure Shell (SSH) backdoors. Users and administrators of affected products are advised to upgrade to the latest versions as soon as possible.

Background:

There are reports of an ongoing botnet campaign exploiting known vulnerabilities in ASUS routers to deploy persistent Secure Shell (SSH) backdoors. Attackers combine brute-forcing login credentials, bypassing authentication, and exploiting an old command injection vulnerability (CVE-2023-39780) to add their own SSH public key. They then enable the SSH daemon to listen on the non-standard TCP port 53282, to retain backdoor access to the devices even between reboots and firmware updates.

Impact:

Successful exploitation of vulnerable routers could allow a remote attacker to gain full control of the device, establish persistent access via SSH, intercept network traffic, perform lateral movement into internal networks, and/or recruit devices into botnets.

Affected Products:

This campaign affects ASUS routers including the RT-AC3100, RT-AC3200, and RT-AX55 models.

Mitigation:

Users and administrators of affected products are advised to perform the following mitigation measures:

  • Upgrade to the latest versions as soon as possible

  • Disable remote administration features, especially access to the router’s management interface from the internet, unless absolutely necessary

  • Change all default administrative credentials to strong, unique passwords to reduce the risk of unauthorised access

  • Look for suspicious files and the addition of the attacker's SSH key (IoCs here) on the 'authorized_keys' file. If a compromise is suspected, perform a factory reset on the device and reconfigure it securely from scratch using a strong password, which should contain at least 12 characters comprising upper-case and lower-case letters, numbers and symbols

  • Add the following four IP addresses to a blocklist:

    • 101.99.91[.]151

    • 101.99.94[.]173 

    • 79.141.163[.]179   

    • 111.90.146[.]237

References:

https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers

https://www.bleepingcomputer.com/news/security/botnet-hacks-9-000-plus-asus-routers-to-add-persistent-ssh-backdoor/

Back to top