AryStinger Malware

A newly discovered malware family, named AryStinger, is transforming abandoned home routers into a large-scale reconnaissance and proxy network rather than the traditional distributed denial-of-service (DDoS) botnets commonly associated with compromised networking devices. Security researchers have already identified at least 4,300 infected routers, and the number is expected to continue growing.

Unlike conventional malware campaigns that focus on disrupting services, AryStinger is designed to support the early stages of cyber intrusions. Compromised devices are used to scan the internet, identify running services, enumerate subdomains, tunnel network traffic, and execute commands remotely before transmitting the collected intelligence back to the operators. Every infected router effectively serves as both a reconnaissance node and an anonymizing relay that conceals the true origin of the attacker.

Targeting Aging Hardware and Long-Forgotten Vulnerabilities

The campaign primarily targets routers powered by Realtek RTL819X chipsets, hardware that was widely used between 2012 and 2015. Researchers first observed the malware on 12 March 2026, when infections originated from a single IP address.

The deployed malware was a Linux ELF binary that initially evaded detection by every engine on VirusTotal. It achieved infection by exploiting two older vulnerabilities:

• CVE-2013-3307 affecting certain Linksys routers.
• CVE-2016-5681 impacting specific D-Link devices.

Most of the compromised systems are D-Link products, with the DIR-850L model accounting for approximately 75 percent of infections. Geographically, infections are concentrated in South Korea (48 percent) and China (32 percent), followed by Sweden, Malaysia, and Singapore.

Expansion Beyond Routers

A second malware variant emerged on 26 April 2026, targeting QNAP NAS devices through CVE-2025-11837, a code injection vulnerability affecting QNAP's Malware Remover utility. Although the vulnerability had already been patched in November 2025, attackers began exploiting it several months later.

Ironically, the infection vector is the NAS appliance's own malware-removal application. The reported figure of 4,300 compromised systems only includes the infected RTL819X routers and does not account for affected NAS devices.

Lightweight Malware with Powerful Capabilities

The router version of AryStinger is written in C and intentionally remains lightweight due to the limited resources of older hardware. Its primary functions are mass DNS scanning and traffic tunneling.

The NAS version, developed in Go, provides significantly broader capabilities. It can scan both internal and external networks and deploy reconnaissance utilities such as fscan, ksubdomain, and httpx. A feature known as ScriptWork allows operators to execute attacker-supplied Go, Java, or Python source code directly on the infected system, eliminating the need to compile separate binaries for each target.

Communication between infected devices and command-and-control (C2) servers occurs over HTTP and HTTPS using Protobuf-encoded traffic obfuscated with a simple XOR scheme, while the Go-based variant adds gzip compression. Large scanning tasks are divided into smaller segments and distributed across the botnet, enabling parallel reconnaissance operations.

Persistence and Potential for Abuse

The malware maintains long-term access by deploying a Dropbear SSH server on port 2332 for routers and gs-netcat on compromised NAS systems. Investigators also identified a hardcoded authentication key, 'sh_#@!_2024_secret', whose inclusion of '2024' may indicate that development of the operation began that year, although this cannot be confirmed with certainty.

Although reconnaissance appears to be the primary objective, the malware's DNS scanning capabilities can also be redirected toward DNS resolvers to generate denial-of-service traffic when needed.

A Familiar Pattern: Operational Relay Box Networks

The infrastructure created by AryStinger closely resembles Operational Relay Box (ORB) networks. These networks consist of compromised end-of-life routers and IoT devices that enable threat actors to conduct scanning operations and relay malicious traffic while remaining difficult to trace.

The approach echoes previous incidents. In May 2025, the FBI and the U.S. Department of Justice dismantled the 5socks and Anyproxy services, which had monetized residential proxy access by exploiting outdated Linksys and Cisco routers infected with TheMoon malware. More recently, ORB operations such as LapDogs have similarly relied on unpatched vulnerabilities in aging devices.

At present, AryStinger has not been conclusively attributed to any specific threat actor. However, the operational model is unmistakable: obsolete hardware and forgotten vulnerabilities are being converted into stealthy infrastructure that supports the initial stages of sophisticated cyber intrusions.

Detection and Mitigation Strategies

Organizations and individuals operating potentially affected equipment should immediately investigate for indicators of compromise and implement long-term remediation measures.

• Monitor for outbound connections to AryStinger command-and-control servers and download domains.
• Inspect the /tmp/bin directory for unfamiliar binaries.
• Search for suspicious processes named syswapd0h or syswapd0w.

The most effective defense remains straightforward: retire end-of-life networking equipment that no longer receives firmware updates and disable remote administration on internet-exposed devices whenever possible. Hardware that stopped receiving security patches years ago is unlikely to receive protection against modern threats.