AryStinger Turns 4,300 Forgotten Routers Into a Recon-and-Proxy Network

The short version: A new malware family called AryStinger is quietly conscripting abandoned home routers, but not for the DDoS work these devices usually get pulled into. QiAnXin's XLab counts at least 4,300 infected routers and says the number is still climbing. AryStinger turns each box into a footprinting node and a relay, scanning the internet, fingerprinting services, tunneling traffic, and hiding where the real attacker is sitting. The entry point in every case is the same: old hardware running firmware that stopped getting patches years ago.

‍

This isn't the botnet you're expecting

Most malware that lands on a forgotten router is there to generate junk traffic. AryStinger is different. It's built for the part of an attack that happens before the break-in.

Infected devices scan the internet, enumerate subdomains, fingerprint services, tunnel traffic, and run commands on demand, then ship the results back to the operator. Each compromised router does two jobs at once: it's a reconnaissance node doing the legwork, and it's a relay that obscures the attacker's real location. That makes it less like a blunt instrument and more like quiet infrastructure for the opening moves of an intrusion.

‍

Old chips, older bugs

The campaign targets routers built on Realtek's RTL819X chips, hardware that was current somewhere around 2012 to 2015. XLab first observed it on March 12, 2026, spreading from a single IP. The payload was a Linux ELF binary that no engine on VirusTotal flagged, and it got in by exploiting two vulnerabilities from another era entirely: CVE-2013-3307 in Linksys devices and CVE-2016-5681 in D-Link ones.

The infected pool skews heavily toward D-Link, with the DIR-850L alone accounting for roughly 75 percent of devices. Geographically it concentrates in South Korea (around 48 percent) and China (around 32 percent), followed by Sweden, Malaysia, and Singapore.

A second strain surfaced on April 26, this one aimed at QNAP NAS boxes via CVE-2025-11837, a code-injection flaw in QNAP's Malware Remover. That bug was demonstrated at Pwn2Own Ireland 2025 and patched in late October 2025, months before AryStinger started using it. The irony is hard to miss: the way in is the appliance's own malware-removal tool. XLab hasn't measured the NAS infections, so the 4,300 figure covers RTL819X routers only and almost certainly understates the full footprint.

‍

Two builds, one job

AryStinger ships in two flavors tuned to the hardware it runs on.

The router build is written in C and kept deliberately lean, because the aging silicon can't handle much more. It sticks to mass DNS scanning and traffic tunneling. The NAS build is written in Go and does considerably more, scanning internal and external networks and running recon tooling like fscan, ksubdomain, and httpx. A "ScriptWork" task lets the operator execute attacker-supplied Go, Java, or Python source directly on the box, so they never have to compile a per-target binary.

Each infected node, which XLab calls an Executor, talks to its command-and-control server over HTTP/HTTPS, with Protobuf-encoded traffic obfuscated by a simple XOR (the Go build layers on gzip). The operator chunks a large scan and spreads the pieces across the fleet, footprinting many targets in parallel. The same DNS scanning, XLab notes, can be redirected at resolvers to manufacture denial-of-service traffic if the operator wants it.

Persistence comes from a Dropbear SSH server on a fixed port (2332) on routers, and from gs-netcat on NAS. The hardcoded key, sh_#@!_2024_secret, carries a "2024" that may hint at when the operation began, though XLab can't confirm it.

‍

Where this fits

The shape here is familiar, and that's the point.

In May 2025, the FBI and Justice Department dismantled the 5socks and Anyproxy services, which had turned years-old Linksys and Cisco routers running TheMoon malware into residential proxies sold by the month. Mandiant has separately tracked operational relay box networks, or ORBs: meshes of compromised end-of-life routers and IoT that state actors lean on to scan and relay while staying hard to trace. Recent router ORBs like LapDogs farm devices through n-day bugs in exactly the way AryStinger does.

AryStinger hasn't been attributed to anyone yet, and XLab says it's still working on who's behind it. But the operating model is already clear: take forgotten hardware, exploit ancient CVEs nobody's going to fix, and convert the result into disposable, deniable infrastructure.

‍

What to do

If you operate any of the affected gear, the immediate checks are straightforward:

• Watch your outbound traffic. Look for connections to AryStinger's C2 and download domains, the ajb8.com and related hosts in XLab's IOC list.
• Inspect /tmp/bin for binaries you didn't put there.
• Hunt for the processes named syswapd0h or syswapd0w.
• Check for the SSH foothold on port 2332 (routers) or unexpected gs-netcat activity (NAS).

The durable fix is the one everyone keeps repeating because it keeps being true: retire end-of-life routers and appliances that no longer receive firmware, and turn off remote administration on anything internet-facing. A device that stopped getting patches in 2016 is not going to start now.

‍

The maintenance gap is the whole story

Strip AryStinger down and there's no zero-day, no clever new technique, no novel exploit chain. There's a 2013 bug, a 2016 bug, and a fleet of devices whose vendors walked away years ago. The malware didn't have to be sophisticated. It just had to find hardware that nobody is maintaining, and there's a lot of it.

That's the uncomfortable part for anyone responsible for a technology estate. End-of-life isn't a future risk that arrives on a schedule; it's a present condition the moment patches stop shipping. The exposure doesn't announce itself. It simply sits there, accumulating, until someone with a scanner and a public CVE list decides to use it.

Routers and NAS boxes are the version of this problem you can see, because there's a physical thing to point at. The version that's harder to see runs inside your applications: the open-source frameworks, libraries, and runtimes that quietly slipped past end-of-life and are still in production because they still work. They don't blink red. They don't show up in an asset inventory as "abandoned." They just stop getting fixes, and the gap between the last patch and the next exploit widens on its own.

At HeroDevs, that gap is the entire job. We provide secure, drop-in replacements for end-of-life open-source software, backporting the fixes the original maintainers no longer ship, so the dependencies you can't easily rip out don't become the 2013-CVE equivalent inside your own stack. We can't patch your router. But the principle AryStinger is exploiting (no upstream support means open-ended exposure) applies just as cleanly to the software running above it.

The question worth asking before someone else asks it for you: what in your environment stopped getting patched, and how would you even know?