Posted in

AryStinger Malware Infects 4,300+ Routers, Turning Legacy Devices Into Stealth Recon Networks

Security researchers have uncovered a new malware family named AryStinger that is transforming outdated routers and network-attached storage (NAS) devices into a large-scale reconnaissance and proxy network.

Unlike traditional botnets that primarily launch distributed denial-of-service (DDoS) attacks, AryStinger focuses on the early stages of cyberattacks by scanning the internet, collecting intelligence, and hiding attacker activity behind compromised devices.

Researchers at QiAnXin’s XLab estimate that more than 4,300 routers have already been infected, with the number continuing to grow.

Malware Built for Reconnaissance Operations

AryStinger’s primary purpose is not disruption but information gathering. Once a device is compromised, it can:

  • Scan internet-facing services
  • Fingerprint systems and applications
  • Enumerate subdomains
  • Tunnel network traffic
  • Execute remote commands
  • Return collected intelligence to command-and-control (C2) servers

Each infected router effectively becomes both a reconnaissance platform and a proxy that conceals the attacker’s true location.

Legacy Hardware Targeted Through Old Vulnerabilities

The campaign primarily targets routers powered by Realtek RTL819X chipsets, hardware commonly found in devices released between 2012 and 2015.

XLab first detected the operation on March 12, 2026, when malware was distributed from a single IP address. The attackers exploited several long-known vulnerabilities, including:

  • CVE-2013-3307 affecting certain Linksys routers
  • CVE-2016-5681 impacting D-Link devices

Among infected devices, the D-Link DIR-850L accounts for approximately 75% of all compromised systems.

Most Affected Countries

The malware campaign is heavily concentrated in:

  • South Korea (48%)
  • China (32%)
  • Sweden
  • Malaysia
  • Singapore

QNAP NAS Devices Also Under Attack

Researchers identified a second AryStinger variant on April 26, targeting QNAP NAS systems.

The malware exploits CVE-2025-11837, a code injection vulnerability found in QNAP’s Malware Remover utility. Although the flaw was patched in November 2025 after being demonstrated at Pwn2Own Ireland 2025, attackers began actively exploiting it months later.

Notably, the malware uses the device’s own malware-removal tool as an infection vector, highlighting the risks posed by delayed patch deployment.

Two Variants Designed for Different Targets

AryStinger operates in two distinct versions:

Router Variant

The router-focused version is written in C and optimized for low-resource hardware. Its primary functions include:

  • Mass DNS scanning
  • Traffic tunneling
  • Remote command execution

NAS Variant

The NAS version is written in Go and includes significantly more advanced capabilities.

Features include:

  • Internal and external network scanning
  • Service enumeration
  • Automated reconnaissance using tools such as:
    • fscan
    • ksubdomain
    • httpx
  • ScriptWork functionality that executes attacker-supplied Go, Java, or Python code directly on compromised systems

This flexibility allows attackers to deploy customized operations without creating separate binaries for each target.

Command-and-Control Infrastructure

Compromised devices, referred to as “Executors” by researchers, communicate with command-and-control servers over HTTP and HTTPS connections.

Key characteristics include:

  • Protobuf-encoded communications
  • XOR-based traffic obfuscation
  • Gzip compression in the Go variant
  • Distributed scanning tasks shared across the infected fleet

Researchers also warn that AryStinger’s DNS-scanning capability could potentially be weaponized to generate denial-of-service traffic against DNS resolvers.

Persistence Mechanisms

To maintain long-term access, AryStinger deploys persistence tools including:

  • Dropbear SSH service on port 2332 for router infections
  • gs-netcat for NAS devices

Researchers discovered a hardcoded key containing the string:

sh_#@!_2024_secret

The inclusion of “2024” may indicate the malware operation began earlier than previously observed, although this has not been confirmed.

Similarities to Previous Router-Based Proxy Networks

AryStinger follows a growing trend of threat actors exploiting end-of-life networking equipment.

In 2025, U.S. authorities dismantled the 5socks and Anyproxy proxy services, which relied on compromised Linksys and Cisco routers infected with TheMoon malware.

Security experts have also documented Operational Relay Box (ORB) networks—collections of hacked routers and IoT devices used by cybercriminals and nation-state actors for anonymous scanning and traffic relaying.

Like other ORB campaigns such as LapDogs, AryStinger takes advantage of publicly known vulnerabilities that remain unpatched on aging hardware.

Attribution Still Unknown

At present, researchers have not attributed AryStinger to any specific threat actor or cybercrime group.

However, the campaign demonstrates how attackers continue to exploit forgotten and unsupported devices to build covert infrastructure for reconnaissance, lateral movement, and future intrusions.

How Organizations Can Protect Themselves

Security teams should immediately investigate potentially affected devices for indicators of compromise.

Recommended actions include:

  • Monitoring outbound connections to known AryStinger command-and-control domains
  • Checking /tmp/bin directories for unauthorized files
  • Looking for suspicious processes such as:
    • syswapd0h
    • syswapd0w
  • Disabling remote administration where possible
  • Applying available firmware updates

Most importantly, organizations should replace end-of-life networking equipment that no longer receives security updates.

As researchers emphasize, routers that stopped receiving patches years ago remain attractive targets for attackers and are unlikely to receive future security fixes.

Leave a Reply

Your email address will not be published. Required fields are marked *