ZuoRAT malware attacking a wide range of SOHO routers

Duncan Riley July 09, 2022

Zuorat, a newly discovered form of malicious software, has been found to be targeting small office-home-office (SOHO) routers in Europe and North American countries.


The ZuoRAT malware is described as a multistage remote access trojan and is believed to have been active since 2020. The ZuoRAT malware grants the hackers behind it the ability to gain access to the local network and additional systems on the local area network by hijacking communications to maintain an undetected foothold.

What is a SOHO Router?

SOHO routers offer both wired and wireless broadband network connectivity. Unlike traditional routers, they are structured specifically for small office / home office networks (SOHO).

Many offices are now using video conferencing to connect with each other, so SOHO routers for Web Conferencing will be able increase the streaming quality of the connections. Every connection will have an IP address, and the firmware on the device provides different connection points based on bandwidth requirements.

Conference calls and video calls send information in data packages. Sometimes, data packets do not reach their destination because of network congestion or a poor computer configuration. Jitter occurs when packets are lost during an online meeting, causing lower video resolution and de-syncing the video from the audio. Quality of Service (QoS) features allow SOHO routers to prioritize the traffic used for voice and video calls to help reduce jitter and latency.

Features of SOHO Router

  • Quality of Service (QoS)
  • Dual-Band or Tri-Band Wi-Fi Support
  • Extended Range
  • The Data Rate
  • Enhanced Security

ZuoRAT Malware

ZuoRAT is a file that can be used to enumerate a host and its internal network, capture packets transmitted over the infected device, and perform man-in-the- middle attacks, including DNS and HTTP hijacking. Captured data is then sent to an external server.

Router hacks are not a new development; however, the researchers note that where the ZuoRAT malware is interesting is that compromising small office/home office (SOHO) routers is rarely reported. The use of man in the middle attacks against SOHO routers is extremely rare and suggests that those behind the ZuoRAT malware demonstrate a prominent level of skill and sophistication and are a government sponsored organization.

The sudden shift to remote work prompted by the COVID-2019 pandemic has allowed an advanced adversary to seize this opportunity and subvert the traditional defence in depth posture of many well-established organizations.

SOHO firmware usually is not built with security in mind. Especially pre-pandemic SOHO routers, where SOHO routers did not pose an attack vector. So, the only people screw¬ing with them were people looking to create bots.

Casey Ellis, founder of crowdsourced cybersecurity company Bugcrowd, called this a decent finding. Until now, there has been a lot of discussion about SOHO (small office/home office) exploitation, but little evidence of it. One thing to note is that IoT exploits have become far more actively traded in offensive markets since the outbreak of COVID.

John Bambenec, principal threat hunter at Netenrich Inc., warns that the problem with Soho routers is that cost-conscious users often buy them without any robust security features and no one actively administers them so that they never get patched or hardened.


Zuorat’s targeting of small office/home office (SOHO) routers makes it more dangerous than anything else. Its feature set is like the ones used in advanced attacks, but it is built specifically for devices that have limited defences or detection capabilities.

also view other related posts,