A newly identified malware, dubbed AryStinger, is transforming outdated home routers into a vast reconnaissance and proxy network. Unlike typical botnets that leverage such devices for Distributed Denial-of-Service (DDoS) attacks, AryStinger repurposes them for pre-intrusion activities. Infected routers are utilized to scan the internet, identify services, enumerate subdomains, tunnel traffic, and execute commands, all while concealing the true origin of the attacker.
Targeting Obsolete Hardware
The campaign primarily targets routers equipped with Realtek’s RTL819X chipsets, hardware that was prevalent between 2012 and 2015. The initial detection of AryStinger occurred on March 12, 2026, originating from the IP address 107.150.106.14. The malware exploits longstanding vulnerabilities, specifically CVE-2013-3307 in Linksys routers and CVE-2016-5681 in D-Link devices. Among the infected routers, D-Link models are predominant, with the DIR-850L accounting for approximately 75% of cases. Geographically, the infections are concentrated in South Korea (48%) and China (32%), followed by Sweden, Malaysia, and Singapore.
Expanding to Network-Attached Storage Devices
On April 26, 2026, a variant of AryStinger emerged, targeting QNAP Network-Attached Storage (NAS) devices through CVE-2025-11837, a code injection vulnerability in QNAP’s Malware Remover tool. This flaw was disclosed during Pwn2Own Ireland 2025 and patched in November 2025. Despite the availability of patches, the malware continues to exploit unpatched systems. While the exact number of infected NAS devices remains unquantified, the 4,300 figure pertains solely to the compromised RTL819X routers.
Technical Composition and Functionality
AryStinger manifests in two distinct builds tailored to the capabilities of the infected devices. The router variant, written in C, is lightweight to accommodate the limited resources of older hardware, focusing on mass DNS scanning and traffic tunneling. Conversely, the NAS variant, developed in Go, offers enhanced functionalities, including internal and external network scanning and the execution of reconnaissance tools like fscan, ksubdomain, and httpx. Additionally, it features a “ScriptWork” task that allows the execution of attacker-supplied Go, Java, or Python code, eliminating the need for pre-compilation.
Communication between infected devices, referred to as Executors, and their command-and-control (C2) servers occurs over HTTP/HTTPS. The traffic is obfuscated using a simple XOR operation, with the Go build adding gzip compression. The malware distributes large scanning tasks across the network, enabling parallel reconnaissance efforts. Persistence is maintained through the deployment of a Dropbear SSH server on a fixed port (2332 for routers) or gs-netcat on NAS devices. Notably, the hardcoded key “sh_#@!_2024_secret” suggests that the campaign may have commenced in 2024, although this remains unconfirmed.
Context and Implications
The utilization of outdated hardware and known vulnerabilities to establish covert infrastructure is not unprecedented. In May 2025, the FBI and the U.S. Department of Justice dismantled the 5socks and Anyproxy services, which had converted obsolete Linksys and Cisco routers infected with TheMoon malware into residential proxies available for rent. Similarly, cybersecurity firm Mandiant has documented operational relay box networks (ORBs) comprising compromised end-of-life routers and IoT devices used by state actors for scanning and relaying activities while evading detection. Recent examples, such as the LapDogs network, exploit n-day vulnerabilities in a manner akin to AryStinger.
While the exact perpetrators behind AryStinger remain unidentified, the modus operandi underscores a growing trend: the exploitation of neglected hardware and outdated software vulnerabilities to create stealthy platforms for the initial phases of cyber intrusions. This development highlights the critical need for organizations and individuals to maintain up-to-date firmware and to decommission unsupported devices to mitigate potential security risks.
