- Home
- Alerts & Advisories
- Alerts
- Ongoing Botnet Campaign Targeting ASUS Routers
Ongoing Botnet Campaign Targeting ASUS Routers
2 June 2025
There are reports of an ongoing botnet campaign targeting ASUS routers to deploy persistent Secure Shell (SSH) backdoors. Users and administrators of affected products are advised to upgrade to the latest versions as soon as possible.
Background:
There are reports of an ongoing botnet campaign exploiting known vulnerabilities in ASUS routers to deploy persistent Secure Shell (SSH) backdoors. Attackers combine brute-forcing login credentials, bypassing authentication, and exploiting an old command injection vulnerability (CVE-2023-39780) to add their own SSH public key. They then enable the SSH daemon to listen on the non-standard TCP port 53282, to retain backdoor access to the devices even between reboots and firmware updates.
Impact:
Successful exploitation of vulnerable routers could allow a remote attacker to gain full control of the device, establish persistent access via SSH, intercept network traffic, perform lateral movement into internal networks, and/or recruit devices into botnets.
Affected Products:
This campaign affects ASUS routers including the RT-AC3100, RT-AC3200, and RT-AX55 models.
Mitigation:
Users and administrators of affected products are advised to perform the following mitigation measures:
Upgrade to the latest versions as soon as possible
Disable remote administration features, especially access to the router’s management interface from the internet, unless absolutely necessary
Change all default administrative credentials to strong, unique passwords to reduce the risk of unauthorised access
Look for suspicious files and the addition of the attacker's SSH key (IoCs here) on the 'authorized_keys' file. If a compromise is suspected, perform a factory reset on the device and reconfigure it securely from scratch using a strong password, which should contain at least 12 characters comprising upper-case and lower-case letters, numbers and symbols
Add the following four IP addresses to a blocklist:
101.99.91[.]151
101.99.94[.]173
79.141.163[.]179
111.90.146[.]237
References:
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers