Security researchers have uncovered a new malware family named AryStinger that is transforming outdated routers and network-attached storage (NAS) devices into a large-scale reconnaissance and proxy network.
Unlike traditional botnets that primarily launch distributed denial-of-service (DDoS) attacks, AryStinger focuses on the early stages of cyberattacks by scanning the internet, collecting intelligence, and hiding attacker activity behind compromised devices.
Researchers at QiAnXin’s XLab estimate that more than 4,300 routers have already been infected, with the number continuing to grow.
Malware Built for Reconnaissance Operations
AryStinger’s primary purpose is not disruption but information gathering. Once a device is compromised, it can:
- Scan internet-facing services
- Fingerprint systems and applications
- Enumerate subdomains
- Tunnel network traffic
- Execute remote commands
- Return collected intelligence to command-and-control (C2) servers
Each infected router effectively becomes both a reconnaissance platform and a proxy that conceals the attacker’s true location.
Legacy Hardware Targeted Through Old Vulnerabilities
The campaign primarily targets routers powered by Realtek RTL819X chipsets, hardware commonly found in devices released between 2012 and 2015.
XLab first detected the operation on March 12, 2026, when malware was distributed from a single IP address. The attackers exploited several long-known vulnerabilities, including:
- CVE-2013-3307 affecting certain Linksys routers
- CVE-2016-5681 impacting D-Link devices
Among infected devices, the D-Link DIR-850L accounts for approximately 75% of all compromised systems.
Most Affected Countries
The malware campaign is heavily concentrated in:
- South Korea (48%)
- China (32%)
- Sweden
- Malaysia
- Singapore
QNAP NAS Devices Also Under Attack
Researchers identified a second AryStinger variant on April 26, targeting QNAP NAS systems.
The malware exploits CVE-2025-11837, a code injection vulnerability found in QNAP’s Malware Remover utility. Although the flaw was patched in November 2025 after being demonstrated at Pwn2Own Ireland 2025, attackers began actively exploiting it months later.
Notably, the malware uses the device’s own malware-removal tool as an infection vector, highlighting the risks posed by delayed patch deployment.
Two Variants Designed for Different Targets
AryStinger operates in two distinct versions:
Router Variant
The router-focused version is written in C and optimized for low-resource hardware. Its primary functions include:
- Mass DNS scanning
- Traffic tunneling
- Remote command execution
NAS Variant
The NAS version is written in Go and includes significantly more advanced capabilities.
Features include:
- Internal and external network scanning
- Service enumeration
- Automated reconnaissance using tools such as:
- fscan
- ksubdomain
- httpx
- ScriptWork functionality that executes attacker-supplied Go, Java, or Python code directly on compromised systems
This flexibility allows attackers to deploy customized operations without creating separate binaries for each target.
Command-and-Control Infrastructure
Compromised devices, referred to as “Executors” by researchers, communicate with command-and-control servers over HTTP and HTTPS connections.
Key characteristics include:
- Protobuf-encoded communications
- XOR-based traffic obfuscation
- Gzip compression in the Go variant
- Distributed scanning tasks shared across the infected fleet
Researchers also warn that AryStinger’s DNS-scanning capability could potentially be weaponized to generate denial-of-service traffic against DNS resolvers.
Persistence Mechanisms
To maintain long-term access, AryStinger deploys persistence tools including:
- Dropbear SSH service on port 2332 for router infections
- gs-netcat for NAS devices
Researchers discovered a hardcoded key containing the string:
sh_#@!_2024_secret
The inclusion of “2024” may indicate the malware operation began earlier than previously observed, although this has not been confirmed.
Similarities to Previous Router-Based Proxy Networks
AryStinger follows a growing trend of threat actors exploiting end-of-life networking equipment.
In 2025, U.S. authorities dismantled the 5socks and Anyproxy proxy services, which relied on compromised Linksys and Cisco routers infected with TheMoon malware.
Security experts have also documented Operational Relay Box (ORB) networks—collections of hacked routers and IoT devices used by cybercriminals and nation-state actors for anonymous scanning and traffic relaying.
Like other ORB campaigns such as LapDogs, AryStinger takes advantage of publicly known vulnerabilities that remain unpatched on aging hardware.
Attribution Still Unknown
At present, researchers have not attributed AryStinger to any specific threat actor or cybercrime group.
However, the campaign demonstrates how attackers continue to exploit forgotten and unsupported devices to build covert infrastructure for reconnaissance, lateral movement, and future intrusions.
How Organizations Can Protect Themselves
Security teams should immediately investigate potentially affected devices for indicators of compromise.
Recommended actions include:
- Monitoring outbound connections to known AryStinger command-and-control domains
- Checking
/tmp/bindirectories for unauthorized files - Looking for suspicious processes such as:
- syswapd0h
- syswapd0w
- Disabling remote administration where possible
- Applying available firmware updates
Most importantly, organizations should replace end-of-life networking equipment that no longer receives security updates.
As researchers emphasize, routers that stopped receiving patches years ago remain attractive targets for attackers and are unlikely to receive future security fixes.
