A new malware family tracked as AryStinger is quietly converting forgotten home and small-office routers into a distributed reconnaissance and proxy network. QiAnXin’s XLab, which named the campaign, counts at least 4,300 infected routers and says the number is still climbing. Unlike the DDoS botnets these devices usually end up in, AryStinger is built for the stage of an attack that happens before the break-in: its nodes scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator. Each compromised box becomes both a footprinting node and a relay that hides where the real attacker sits.

Old chips, older bugs

The campaign targets routers built on Realtek’s RTL819X chipset — hardware that was current roughly between 2012 and 2015. XLab first observed it on March 12, 2026, spreading from a single IP (107.150.106.14) and pushing a Linux ELF binary that zero engines on VirusTotal flagged at the time.

The malware gets in through bugs from another era:

  • CVE-2013-3307 — a flaw in Linksys models
  • CVE-2016-5681 — a flaw in D-Link models

The infected pool is overwhelmingly D-Link, with the DIR-850L alone accounting for roughly 75% of victims. By geography, infections skew heavily toward South Korea (~48%) and China (~32%), followed by Sweden, Malaysia, and Singapore.

A second strain surfaced on April 26, aimed at QNAP NAS devices via CVE-2025-11837, a code-injection flaw in QNAP’s Malware Remover tool. That bug was demonstrated at Pwn2Own Ireland 2025 and patched in November 2025 — months before AryStinger began weaponizing it. The irony is sharp: the way in is the appliance’s own malware-removal utility. XLab hasn’t sized the NAS infections, so the 4,300 figure covers RTL819X routers only.

Two builds, one job

AryStinger ships in two flavors. The router build is written in C and kept deliberately lean — the aging hardware can’t run much, so it sticks to mass DNS scanning and traffic tunneling. The NAS build is written in Go and does far more: it scans internal and external networks, runs recon tooling like fscan, ksubdomain, and httpx, and exposes a “ScriptWork” task that executes attacker-supplied Go, Java, or Python source code directly on the box — so the operator never has to compile a per-target binary.

Each node, which XLab calls an Executor, talks to its C2 over HTTP/HTTPS using Protobuf-encoded traffic obfuscated with a simple XOR (the Go build adds gzip). The operator chunks a large scan and spreads it across the fleet, footprinting many targets in parallel. The same DNS-scanning capability can be pointed at resolvers to generate denial-of-service traffic. Persistence comes from a Dropbear SSH server on a fixed port — 2332 on routers, or gs-netcat on NAS — keyed with a hardcoded secret, sh_#@!_2024_secret, whose embedded “2024” may hint at when the operation began.

Why it matters

This is the ORB (operational relay box) playbook that state-aligned actors increasingly favor — meshes of compromised end-of-life routers and IoT used to scan and relay while staying hard to trace. It sits in the lineage of Mandiant’s ORB research and recent campaigns like LapDogs, as well as the FBI-disrupted 5socks/Anyproxy network that ran on TheMoon malware. AryStinger isn’t attributed to anyone yet, but the model is unmistakable: forgotten hardware plus ancient CVEs equals quiet infrastructure for the opening moves of an intrusion.

What to do right now

  • Hunt for indicators. Look for outbound connections to AryStinger’s C2/download domains (the ajb8.com cluster in XLab’s IOC list), inspect /tmp/bin for binaries you didn’t place there, and check for processes named syswapd0h or syswapd0w.
  • Kill remote administration. Disable WAN-side admin on any exposed router or NAS, and look for an unexpected SSH listener on port 2332.
  • Patch the NAS path. QNAP users should confirm Malware Remover is updated past the CVE-2025-11837 fix.
  • Retire EOL gear. The durable fix is the one everyone keeps repeating: a router that stopped getting firmware in 2016 is not going to start now. Replace it.

The broader lesson is one infrastructure teams already know but rarely act on: an unpatched edge device doesn’t have to be your attacker to be a problem. AryStinger’s nodes are renting their network position to whoever runs the C2 — and the only reliable way off that list is to stop running hardware the vendor abandoned.

Sources: The Hacker News · BleepingComputer · QiAnXin XLab