AyySSHush
AyySSHush is a botnet/backdoor campaign targeting Internet-exposed ASUS routers, discovered by GreyNoise in March 2025. It compromises routers through brute-force attacks against login pages and by exploiting known authentication bypass vulnerabilities, then uses CVE-2023-39780 command injection to gain code execution. Reported tradecraft includes creating /tmp/BWSQL_LOG to trigger the vulnerable BWDPI logging function, disabling or undermining ASUS AiProtection/Trend Micro security features, disabling logging, enabling SSH on TCP port 53282, and installing an attacker-controlled SSH public key through legitimate ASUS configuration features. The persistence is stored in NVRAM, allowing the SSH backdoor to survive reboots, patching, and even firmware upgrades. GreyNoise reported thousands of infected devices, with counts ranging from more than 8,000 visible hosts to a peak of about 12,000 Internet-exposed routers; one report cited more than 9,000 infected ASUS routers. Affected models explicitly mentioned include RT-AC3100, RT-AC3200, RT-AX55, ASUS 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP. GreyNoise assessed the activity as consistent with an advanced, well-resourced adversary and said the campaign may be building an operational relay box (ORB) network. Multiple sources note overlap with activity tracked by Sekoia as ViciousTrap, and some reporting describes AyySSHush as another Chinese-origin botnet or links it to the same actor with low to moderate confidence, but no formal attribution is confirmed. High-confidence remediation guidance in the reporting is that normal patching or rebooting may not remove the persistence and impacted routers may require inspection for compromise or a comprehensive factory reset.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Once inside, they target and exploit CVE-2023-39780, a known command injection vulnerability, to execute arbitrary system-level commands. Asus has released a new firmware update addressing CVE-2023-39780, as well as the initial undocumented login bypass techniques.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Greynoise labeled it "AyySSHush." ... AyySSHush uses only the most obvious tactics for gaining initial access to Internet-exposed routers: either brute forcing the device's login page or exploiting known authentication bypass vulnerabilities.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
these commands were used to enable SSH, bind it to TCP/53282, and add an attacker-controlled public key, affording them exclusive SSH access.
Execution
3 techniques
Execution
Once inside, they target and exploit CVE-2023-39780, a known command injection vulnerability, to execute arbitrary system-level commands.
Persistence
5 techniques
Persistence
these commands were used to enable SSH, bind it to TCP/53282, and add an attacker-controlled public key, affording them exclusive SSH access.
They also gain the ability to enable SSH on a non-standard port (TCP 53282) and install their own public SSH key, enabling remote administrative control.
They also gain the ability to enable SSH on a non-standard port (TCP 53282) and install their own public SSH key, enabling remote administrative control.
Privilege Escalation
4 techniques
Privilege Escalation
...exploiting authentication bypass techniques, some of which remain undocumented without assigned CVEs.
these commands were used to enable SSH, bind it to TCP/53282, and add an attacker-controlled public key, affording them exclusive SSH access.
Stealth
3 techniques
Stealth
Additionally, by disabling system logging and the router’s AiProtection security features, the attackers ensure that they cannot be detected.
Defense Impairment
1 technique
Defense Impairment
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Chinese-origin router-focused botnet/ORB-like cluster linked in reporting to exploitation of CVE-2023-39780; some infrastructure shows possible overlap with Operation WrtHug, though evidence is limited to shared indicators/vulnerability usage.
An ASUS-router-focused botnet/backdoor operation that gains admin access (via brute force and known bugs), enables SSH on a high port, and persists by adding an attacker SSH key through legitimate router settings that survive firmware upgrades.
Botnet infecting routers (primarily ASUS) and possibly other devices, likely for DDoS or proxying purposes.
A router-targeting botnet affecting Asus devices. It uses brute-force and authentication bypass techniques, exploits CVE-2023-39780 to execute commands, disables logging and AiProtection, enables SSH on a custom port, and installs an attacker-controlled public key to maintain persistent backdoor access across firmware upgrades.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.