A previously undocumented malware botnet named **AryStinger** has been found to compromise more than 4,000 outdated routers. These devices are then repurposed as proxies for malicious traffic and other attacker-controlled operations. **Qianxin's XLab** threat intelligence team reports that the malware converts infected devices into remotely controlled “executors.” These executors can perform a range of activities, including scanning, proxying, tunneling, and command execution on behalf of the attacker. “The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” **XLab** researchers noted in their report. This distributed design allows for efficient “footprinting” activities, laying the groundwork for subsequent intrusion operations. Beyond acting as a springboard for malicious operations, **AryStinger** can also tamper with DNS settings, hijacking user browsing. Furthermore, it can silently monitor and potentially steal all inbound and outbound network traffic.  **AryStinger** exploits older vulnerabilities such as **CVE-2013-3307**, **CVE-2016-5681**, and **CVE-2025-11837**. Its primary targets are **D-Link DIR-850L** and **D-Link DIR-818LW** routers. These particular router models were previously targeted by the **AVrecon** malware botnet, which **Lumen** communications services provider disrupted in 2023. **Qianxin's** telemetry data indicates that almost half of all infections are located in South Korea (48.5%). China follows with 31.8%, Sweden with 6.4%, Malaysia with 3.5%, and Singapore with 2.5%. **XLab** researchers have identified two variants of the **AryStinger** malware. A C-based version predominantly targets outdated routers, while a Go-based variant focuses on **NAS** systems, though with a more limited current reach.  The **NAS** version is the more advanced of the two. It boasts additional capabilities such as IP and DNS scanning, command execution, payload execution, and internal network reconnaissance, integrating open-source penetration testing tools. The researchers also noted that **AryStinger's** distributed DNS-scanning infrastructure could potentially be repurposed to generate large volumes of DNS queries against resolvers, though no such attacks have been observed yet. Regarding the **NAS** version's code execution capabilities, **XLab** states it supports Shell commands, as well as Go, Java, and Python source code. However, using source code introduces limitations, such as the need for language runtimes on the host and increased noise that could compromise stealth. The researchers have not attributed **AryStinger** to any known activity cluster, stating that “many mysteries surrounding **AryStinger** remain to be solved.” Owners of end-of-life (**EoL**) routers are strongly advised to replace them with new, actively supported models. Additionally, applying the latest available firmware updates, changing default administrator account passwords, and disabling remote management panels are crucial security measures.