AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

Summary

A new malware family named AryStinger is infecting legacy routers, primarily those with Realtek RTL819X chips, to create a distributed reconnaissance and proxy network. The malware exploits older vulnerabilities like CVE-2013-3307 and CVE-2016-5681, turning devices into footprinting nodes and relays for attackers. A separate strain also targets QNAP NAS devices using CVE-2025-11837.

Full text

AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network Swati KhandelwalJun 22, 2026IoT Security / Vulnerability A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin's XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising. The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator. Each router becomes a footprinting node and a relay that hides where the real attacker is. Old chips, older bugs The campaign goes after routers built on Realtek's RTL819X chips, hardware that was current around 2012 to 2015. XLab first saw it on March 12, 2026, spreading from a single IP, 107.150.106.14. The binary it pushed was a Linux ELF that no engine on VirusTotal flagged, exploiting two flaws from another era: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones. The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent. By geography, it skews to South Korea (around 48 percent) and China (around 32 percent), then Sweden, Malaysia, and Singapore. A second strain appeared on April 26, aimed at QNAP NAS boxes through CVE-2025-11837, a code injection flaw in QNAP's Malware Remover. The bug was shown at Pwn2Own Ireland 2025 and patched in November 2025, months before this strain began using it. The way in is the appliance's own malware-removal tool. XLab hasn't measured the NAS infections, so the 4,300 figure covers RTL819X routers only. Two builds, same job One build is lean, and one is fuller. The router build is written in C and kept light, because the old hardware can't run more, so it sticks to mass DNS scanning and traffic tunneling. The NAS build is written in Go and does much more. It scans internal and external networks and runs recon tools like fscan, ksubdomain, and httpx. A "ScriptWork" task executes attacker-supplied Go, Java, or Python source code on the box, so the operator never has to compile a binary per target. Each infected node, which XLab calls an Executor, talks to its C2 over HTTP/HTTPS, with Protobuf-encoded traffic obfuscated by a simple XOR (the Go build adds gzip). The operator splits a large scan into chunks and spreads them across the fleet, footprinting in parallel. XLab says the same DNS scanning can be aimed at resolvers to generate denial-of-service traffic. Persistence comes from a Dropbear SSH server on a fixed port, 2332 on routers, or gs-netcat on NAS. The hardcoded key, sh_#@!_2024_secret, carries a "2024" that may point to a 2024 start, though XLab can't confirm it. Where this fits The shape is familiar. In May 2025, the FBI and Justice Department tore down the 5socks and Anyproxy services, which had turned years-old Linksys and Cisco routers running TheMoon malware into residential proxies sold by the month. The espionage version looks much the same. Mandiant has tracked operational relay box networks, or ORBs: meshes of compromised end-of-life routers and IoT that state actors use to scan and relay while staying hard to trace. Recent router ORBs like LapDogs farm devices through n-day bugs the way AryStinger does. AryStinger isn't pinned to anyone yet, and XLab says it's still working on who is behind it. What's clear is the model: forgotten hardware, ancient CVEs, turned into quiet infrastructure for the opening moves of an intrusion. What to do If you run any of the affected gear, the checks are simple. Look for outbound connections to AryStinger's C2 and download domains (the ajb8.com and related hosts in XLab's IOC list), check /tmp/bin for binaries you didn't put there, and look for processes named syswapd0h or syswapd0w. The durable fix is the one everyone keeps repeating: retire end-of-life routers that no longer get firmware, and turn off remote administration on anything exposed. A box that stopped getting patches in 2016 is not going to start now. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  botnet, D-Link, iot security, Malware, Proxy Network, QNAP, Realtek, Reconnaissance, router security, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• ip — 107.150.106.14
• cve — CVE-2013-3307
• cve — CVE-2016-5681
• cve — CVE-2025-11837
• domain — ajb8.com

Entities