Manually DHCP List and Domain Name Showing Unremovable Items

[ColinTaylor]

I’m suspicious of the /jffs/usericon/asd_kkoS file and its bind mount.

Yes I'm assuming that's part of the malware as well.

There's another file I also don't recognise:

/jffs/.sbin/hostapd

 

[dave14305]

Yes I'm assuming that's part of the malware as well.

I mean, why bind mount a user icon file unless it will somehow exploit the webgui when loaded on the networkmap? It's amazing the router is functional if rc has been hacked or patched on-device.

 

[ppfoong]

I have an idea of forking and modifying the WICENS addon to monitor whether AiCloud is turned on or any external access is opened up. If found, it will email out an alert.

Perhaps this will become another useful addon for security checking.

Or maybe @Maverickcdn has the interest to extend the function of WICENS to include this kind of basic security checking?

 

[SteverinoLA]

Wow, I found myself with this exact problem as well. Luckily, doing the same reload of existing firmware and factory reset solved it.

I was wondering why the firmware upgrade checks have been failing for a while now, and this was the reason. The other problem I was chasing that was caused by this is that I could not go to any asus.com web site. Would get DNS probe error. Now that also fixed.

So weird, I wonder how this malware got on my router. I'm pretty smart and careful. Could it have come via my PC rather than from the web?w

 

[ppfoong]

I think it come from AiCloud.

Asus firmware version 3.0.0.4.388_24401 released 2025/10/20 mentioned:
- Mitigated security risks in AiCloud service by enforcing strict credential verification, implementing robust file path validation, and hardening command execution logic to prevent unauthorized access and manipulation of system resources.

 

[bennor]

So weird, I wonder how this malware got on my router. I'm pretty smart and careful. Could it have come via my PC rather than from the web?w

AiCloud feature on the router is the likely intrusion vector assuming you don't have weak WiFi security or allow anyone to plug in via Ethernet to your local network. There is a big discussion on the Malware, and some possible ways to deal with it with the help of a few users, in the following discussion:

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

Subsequent Asus firmware (and Asus-Merlin firmware) have security patches that address the discovered latest vulnerabilities in AiCloud. Bottom line, don't enable/use AiCloud if you don't absolutely need it. If you absolutely need it then consider other methods of secure remote access like VPN instead.