AyySSHush: Tradecraft of an emergent ASUS botnet

GreyNoise’s SIFT detected an active campaign exploiting ASUS router firmware (including CVE-2023-39780) to inject commands that create /tmp/BWSQL_LOG (enabling BWDPI logging) and to enable SSH on TCP/53282 with an attacker-controlled public key that persists across firmware upgrades; the report provides exploit payloads, firmware analysis, proof-of-concept access, and IoCs (several source IPs and the attacker RSA public key) confirming widespread backdooring.