A newly identified botnet, dubbed AryStinger, has covertly compromised over 4,300 routers worldwide, transforming them into a clandestine network of attack proxies. This operation exploits longstanding vulnerabilities in older router models, enabling threat actors to conduct reconnaissance and other malicious activities while evading detection by conventional security measures.
The campaign first drew attention on March 12, 2026, when a network-wide monitoring system detected a suspicious IP address disseminating malware through two known router vulnerabilities: CVE-2013-3307 and CVE-2016-5681. These vulnerabilities affect various Linksys and D-Link router models released over a decade ago. Notably, the malware remained undetected by major security scanning platforms, highlighting its stealthy nature.
Researchers from Qianxin XLab reported that the AryStinger malware targets routers built on the RTL819X chipset series, predominantly used between 2012 and 2015. The team later identified a related sample on April 26, 2026, targeting NAS devices via CVE-2025-11837. Based on its source code path and behavior, they named this new malware family AryStinger.
Unlike typical botnets that focus on launching distributed denial-of-service (DDoS) attacks or mining cryptocurrency, AryStinger is engineered for more calculated operations. It is designed to quietly gather information and serve as a launch pad for deeper intrusions. The infected router becomes a ghost node, helping attackers hide their real location while conducting reconnaissance on other networks.
Once AryStinger infects a router, it registers the device with a command-and-control server by sending device fingerprint data, including MAC address, IP addresses, operating system version, and CPU architecture. This data is encrypted before transmission. The server then assigns each infected device a unique Executor ID, turning it into a managed node in the botnet.
Each infected node, referred to as an Executor, receives a small portion of a larger scanning task. The attacker distributes these chunks across hundreds of devices simultaneously, enabling fast and distributed reconnaissance across the internet. The botnet supports port scanning, service identification, subdomain enumeration, and traffic tunneling, all while keeping the attacker’s true identity hidden.
The infected devices are predominantly D-Link DIR-850L routers, accounting for about 75 percent of all known infections. South Korea holds the highest share at 48.45 percent, followed by China at 31.82 percent, Sweden at 6.40 percent, Malaysia at 3.50 percent, and the United States at 2.30 percent.
The hardcoded encryption key found inside AryStinger reads “sh_#@!_2024_secret,” suggesting that this campaign may have been active since at least 2024. The full scale of the operation remains unknown, as current infection counts only cover RTL819X routers and do not yet reflect how many NAS devices may also be compromised.
This development underscores the critical importance of regularly updating and patching network devices. Organizations and individuals using older router models should assess their equipment for known vulnerabilities and consider upgrading to more secure hardware. Additionally, implementing robust network monitoring can help detect and mitigate such covert threats before they escalate.
