Have you never executed a binary you downloaded over http? (Live) Patching backdoors into existing binaries is not exactly difficult.
So far I've only seen one attack like this in the wild, but you need to understand that these exploit vendors primarily sell for targeted attacks (usually by various government actors)
Of course not. But, like I said, if all you need is to pop up a convincing looking page that gets someone to download an executable, you don't need to pop a router to do it. There are hundreds of ad networks you can inject stuff into to accomplish this.
My point is that the compromised router isn't a usefully privileged position to launch this attack from. Whether or not you have the router, you're relying on sending someone to a random convincing-looking web page. This is an "open redirect" level of difficulty, not an $80k RCE level.
> the compromised router isn't a usefully privileged position to launch this attack from.
I hadn't thought too deeply about it but you're absolutely right. Given the presence of encryption, the biggest advantage you can get from owning the router is being able to phish the user from a site they might normally trust but isn't encrypted (a group of sites that is, thankfully, getting smaller every day).
So far I've only seen one attack like this in the wild, but you need to understand that these exploit vendors primarily sell for targeted attacks (usually by various government actors)