Stealth AyySSHush Botnet Compromises 9,000 Asus Routers with Unremovable SSH Backdoor

A sophisticated botnet named AyySSHush has infiltrated over 9,000 Asus routers globally, exploiting vulnerabilities to install a persistent SSH backdoor that survives firmware updates. Uncovered in March 2025 by cybersecurity experts at GreyNoise, this attack uses brute-force login attempts and undocumented authentication bypass methods to gain access.

Unlike traditional malware, AyySSHush manipulates the router’s built-in features, making it nearly invisible to standard detection tools. Data from Censys, an internet device monitoring platform, confirms the attack’s widespread impact, exposing the growing threat to home network security.

Mechanics of the Attack

The AyySSHush botnet begins by targeting routers with weak or default credentials through relentless brute-force attacks. Once inside, attackers exploit CVE-2023-39780, a command injection flaw, to run arbitrary system commands. This enables them to reconfigure the router using its own firmware, storing malicious settings in non-volatile memory (NVRAM).

A key feature of the attack is the activation of SSH on an obscure port, TCP 53282, paired with the installation of an attacker-controlled public SSH key for remote access. To evade detection, the botnet disables system logging and Asus’s AiProtection security suite, ensuring stealthy, long-term control.

ALSO READ | Microsoft Crushes Lumma Stealer: Global Takedown Halts Malware Infecting 394,000+ Windows PCs

Limitations of Firmware Updates

Asus has issued a firmware update to patch CVE-2023-39780 and address the initial authentication bypass vulnerabilities. However, this update cannot remove the SSH backdoor from already-compromised routers, as the malicious configurations persist in NVRAM through reboots and firmware upgrades.

GreyNoise’s AI-driven Sift tool detected the attack through just 30 malicious HTTP POST requests over three months, highlighting its low-profile efficiency. Web-based reports as of May 29, 2025, indicate ongoing scans targeting Asus routers, with thousands of devices still exposed due to outdated firmware or insecure settings.

Did You Know?
A 2024 study by Kaspersky found that 75% of router attacks exploit weak passwords or unpatched vulnerabilities, underscoring the need for proactive security measures.

Securing Your Router

To protect against AyySSHush, users must go beyond firmware updates. Checking for unauthorized SSH activity on TCP port 53282 and inspecting the authorized_keys file for suspicious entries are essential steps. Blocking known malicious IP addresses linked to the botnet can reduce exposure.

For routers suspected of compromise, a full factory reset followed by careful reconfiguration is the most effective solution. Real-time data from cybersecurity sources emphasizes the importance of strong, unique passwords and regular security checks to prevent exploitation.