Security researchers at **QiAnXin's XLab** have uncovered a new malware family, **AryStinger**, that is turning obsolete home routers into a distributed network for reconnaissance and proxy operations. This marks a departure from the more common DDoS botnet deployments, with **XLab** currently tracking at least 4,300 infected devices and counting. The distinction is crucial. **AryStinger** is designed for the preliminary stages of an attack, before a direct breach. Infected devices are tasked with scanning the internet, fingerprinting services, enumerating subdomains, tunneling traffic, and executing commands on demand, then relaying the collected intelligence back to the attackers. Each compromised router acts as both a footprinting node and a traffic relay, effectively masking the true origin of the attacker. ## Exploiting Legacy Hardware and Ancient Bugs The campaign primarily targets routers built on **Realtek's RTL819X** chips, hardware prevalent between 2012 and 2015. **XLab** first identified the activity on March 12, 2026, originating from a single IP address: 107.150.106.14. The initial binary, a Linux ELF, went undetected by **VirusTotal** engines and exploited two long-patched vulnerabilities: **CVE-2013-3307** affecting **Linksys** models and **CVE-2016-5681** in **D-Link** devices. The majority of infected routers are **D-Link**, with the **DIR-850L** alone accounting for approximately 75% of the compromised pool. Geographically, infections are concentrated in South Korea (around 48%) and China (around 32%), followed by Sweden, Malaysia, and Singapore. A second strain of **AryStinger** emerged on April 26, targeting **QNAP NAS** boxes through **CVE-2025-11837**, a code injection flaw in **QNAP's Malware Remover**. This vulnerability was demonstrated at **Pwn2Own Ireland 2025** and patched in November 2025, several months before its exploitation by this strain. The infection vector leverages the appliance's own malware removal tool. **XLab**'s current count of 4,300 infections pertains solely to **RTL819X** routers, with **NAS** infections yet to be quantified. ## Two Builds, One Mission **AryStinger** operates with two distinct builds: a lean version for routers and a more feature-rich one for **NAS** devices. The router build, written in C, is optimized for older hardware, focusing on mass DNS scanning and traffic tunneling. The **NAS** build, developed in Go, is more capable, performing internal and external network scans and deploying reconnaissance tools like `fscan`, `ksubdomain`, and `httpx`. A “ScriptWork” task allows operators to execute attacker-supplied Go, Java, or Python source code directly on the **NAS**, eliminating the need for target-specific binary compilation.  Each infected node, termed an Executor by **XLab**, communicates with its Command and Control (C2) server over HTTP/HTTPS. The traffic is obfuscated using a simple XOR cipher with Protobuf encoding, while the Go build adds gzip compression. Operators can distribute large scans across the botnet, enabling parallel footprinting. **XLab** notes that the DNS scanning capabilities could also be repurposed to generate denial-of-service traffic against resolvers. Persistence is maintained via a **Dropbear SSH** server on a fixed port (2332 on routers) or `gs-netcat` on **NAS** devices. A hardcoded key, `sh_#@!_2024_secret`, contains a “2024” string, which might indicate a 2024 inception date, though **XLab** has not confirmed this. ## A Familiar Espionage Tactic The operational model of **AryStinger** echoes previous sophisticated botnets. In May 2025, the **FBI** and **Justice Department** dismantled the **5socks** and **Anyproxy** services, which leveraged years-old **Linksys** and **Cisco** routers infected with **TheMoon** malware to create residential proxy networks. The espionage variant of this model appears remarkably similar. **Mandiant** has extensively tracked **Operational Relay Box (ORB) networks**, which are composed of compromised end-of-life routers and IoT devices used by state-sponsored actors for scanning and relaying traffic while maintaining anonymity. Recent router **ORBs** like **LapDogs** similarly exploit n-day vulnerabilities, much like **AryStinger**. While **AryStinger** has not yet been attributed to a specific actor, **XLab** continues its investigation. The overarching pattern is clear: forgotten hardware, ancient **CVEs**, and their transformation into covert infrastructure for the initial phases of cyber intrusions. ## What You Can Do If you operate any of the affected devices, immediate action is necessary. Monitor for outbound connections to **AryStinger**'s C2 and download domains (refer to **XLab's IOC list** for `ajb8.com` and related hosts). Check `/tmp/bin` for any unauthorized binaries and look for processes named `syswapd0h` or `syswapd0w`. The most robust long-term solution remains consistent: retire end-of-life routers that no longer receive firmware updates and disable remote administration on any exposed devices. Hardware that stopped receiving patches in 2016 will not suddenly become secure.