New botnet hijacks AI-powered security tool on Asus routers

A newly uncovered botnet is targeting Asus routers — specifically models RT-AC3100 and RT-AC3200 — to hijack and repurpose a built-in, AI-powered security feature.

The campaign, detected by GreyNoise in March 2025, employs a multi-stage approach to compromise devices and establish persistent unauthorized access.

“We are observing an ongoing wave of exploitation targeting ASUS routers, combining both old and new attack methods,” GreyNoise researchers said in a blog post. “After an initial wave of generic brute-force attacks targeting ‘login.cgi,’ we observe subsequent attempts exploiting older authentication bypass vulnerabilities.”

GreyNoise said its in-house AI tool, SIFT, flagged suspicious traffic aimed at disabling and exploiting a TrendMicro-powered security feature, AiProtection, enabled by default on Asus routers.

Trojanizing the safety net

Asus’ AiProtection, developed with TrendMicro, is a built-in, enterprise-grade security suite for its routers, offering real-time threat detection, malware blocking, and intrusion prevention using cloud-based intelligence.

After gaining administrative access on the routers, either by brute-forcing or exploiting known authentication bypass vulnerabilities of “login.cgi” — a web-based admin interface, the attackers exploit an authenticated command injection flaw (CVE-2023-39780) to create an empty file at /tmp/BWSQL_LOG.

Doing this activates the BWDPI (Bidirectional Web Data Packet Inspection) logging feature, a component of Asus’ AiProtection suite aimed at inspecting incoming and outgoing traffic. With logging turned on, attackers can feed crafted (malicious) payloads into the router’s traffic, as BWDPI is not meant to handle arbitrary data.

In this particular case, the attackers use this to enable SSH on a non-standard port and add their own keys, creating a stealthy backdoor. “Because this key is added using the official Asus features, this config change is persisted across firmware upgrades,” GreyNoise researchers said. “If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.”

While GreyNoise did not specify a particular CVE used as an authentication bypass for initial access, Asus recently acknowledged a critical authentication bypass vulnerability, tracked as CVE-2025-2492, affecting routers with the AiCloud feature enabled.

Monitoring SSH access is the only protection

As upgrading the firmware doesn’t guarantee protection, admins are recommended to keep checking for unauthorized SSH access, particularly on TCP port 53282, which the botnet uses for persistent remote control.

Additionally, checking the filesystem for a /tmp/BWSQL_LOG file can help detect attackers’ abuse of the logging feature. Changing default login credentials can prove effective, too, as brute-force attacks are part of the initial infection method. GreyNoise shared a list of indicators (IoC) to set detection for, including IPs, malicious filenames, and SSH-RSA keys.