Unlike typical malware attacks, this operation doesn’t drop any code on the routers. Instead, the attackers are using a mix of known security flaws and legitimate router features to establish stealthy access that survives reboots and even firmware upgrades.

GreyNoise said its AI-powered Sift tool first spotted the operation in March, and the details were made public this week after coordination with government agencies and industry partners. Sekoia.io, which has been tracking a wider campaign dubbed ViciousTrap, confirmed that ASUS routers were hit alongside other brands.

Sekoia’s researchers said the ASUS units weren't used to create honeypots but were compromised through the same method: SSH access via TCP port 53282, which GreyNoise flagged.

Affected models include the RT-AC3200, RT-AC3100, GT-AC2900, and Lyra Mini, though it's not clear if the list ends there.

The backdoors work by adding rogue SSH keys to the router's authorized_keys file, giving the attackers silent remote access without triggering antivirus or security tools. Since the backdoor doesn't involve dropping files or running malware, it is notoriously hard to detect.

GreyNoise recommends a full factory reset followed by a manual reconfiguration of all settings. Users should also inspect TCP port 53282 and audit the contents of their authorized_keys file to check for unauthorised access.

The group behind the campaign hasn’t been identified, but researchers said the operation has all the hallmarks of a high-end threat actor.