Thousands of Asus routers compromised by the 'ViciousTrap' backdoor

9,000 Asus routers compromised by 'ViciousTrap', evading detection through AI: take action now.

: Over 9,000 Asus routers have been compromised by the backdoor named 'ViciousTrap', identified by GreyNoise's AI tool, Sift. Attackers exploit several security flaws, including one with a CVE designation, CVE-2023-39780, allowing them to execute commands and maintain remote access. Despite Asus releasing firmware updates to patch known vulnerabilities, the backdoor persists unless manually removed by administrators. GreyNoise urges monitoring for abnormal IP addresses and recommends prompt updates to firmware to close the security gap.

The backdoor 'ViciousTrap' affecting Asus routers represents a significant cybersecurity threat as it has managed to compromise over 9,000 devices. GreyNoise, an organization specializing in cybersecurity, discovered the anomaly in traffic patterns using their AI tool called Sift. This AI detected unusual activities in March 2025, leading to the identification of the backdoor. These findings were soon shared with government authorities for further investigation. The backdoor has been described as highly stealthy, evading typical detection methods used by both end users and system administrators, making it particularly concerning for those tasked with network security.

The campaign behind 'ViciousTrap' has been associated with cyber-espionage activities, although the motives of the attackers remain unknown. Methodically, these cybercriminals have taken advantage of unpatched security vulnerabilities in Asus routers. Some of these vulnerabilities had been previously documented and fixed, yet others were not even tracked in the Common Vulnerabilities and Exposures (CVE) database, a central list of publicly known cybersecurity vulnerabilities. This allowed the criminals to exploit a gap in security despite previous remediation efforts.

When compromising a device, attackers exploit multiple security flaws and even resort to brute-force login attempts to gain initial access. An identified flaw, labeled CVE-2023-39780, is a crucial step in their strategy, permitting command execution on the router. Once access is granted, the attackers manipulate a legitimate feature of the Asus router to open SSH access via a designated TCP/IP port. They subsequently inject a public encryption key, allowing remote access.

Despite firmware updates from Asus aimed at patching these security flaws, the backdoor can persist. Its stealth nature is maintained as it resides in the device's NVRAM—non-volatile memory used by routers to retain settings—which means it survives reboots and firmware updates. Disabling logging capabilities further cloaks the backdoor from detection. GreyNoise emphasizes that even with updates, if an administrator hasn't manually checked and disabled unauthorized SSH access, the backdoor could remain active.

Administrators are advised to remove the unauthorized encryption key and return affected routers to their original configurations. It is also recommended to monitor for traffic from specific suspicious IP addresses (101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237) as part of efforts to mitigate further risks. Ensuring routers are updated with the latest firmware is crucial, and performing a factory reset can be a protective step if a compromise is suspected. GreyNoise continues to monitor the expansion and potential uses of the 'ViciousTrap' campaign closely.

Sources: TechSpot, GreyNoise

CybersecuritySecurityAI