A newly discovered botnet called AryStinger has quietly hijacked more than 4,300 routers across the globe, turning them into a silent army of attack proxies. Researchers from Qianxin XLab identified the campaign, which exploits decade-old vulnerabilities to build a covert reconnaissance infrastructure that is specifically designed to stay hidden from traditional security tools.
Discovery and Origins
The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities: CVE-2013-3307 and CVE-2016-5681. These flaws affect several Linksys and D-Link router models from over ten years ago. Remarkably, the malware was going completely undetected at the time, with zero flags across major security scanning platforms.
Qianxin XLab researchers identified AryStinger as targeting router devices built on the RTL819X series chips, most widely deployed between 2012 and 2015. A related sample targeting NAS devices was captured on April 26, spreading through CVE-2025-11837. Based on its source code paths and behavior, the research team named this new malware family AryStinger. A hardcoded encryption key inside the malware — “sh_#@!_2024_secret” — hints the campaign may have been running since at least 2024.
How AryStinger Operates
Unlike typical botnets that focus on DDoS attacks or cryptocurrency mining, AryStinger is built for something far more calculated. It is designed to quietly gather information and serve as a launchpad for deeper intrusions. The infected router becomes a ghost node, helping attackers hide their real location while conducting reconnaissance on other networks.
Once AryStinger infects a router, it registers the device with a command-and-control (C2) server by transmitting encrypted device fingerprint data including MAC address, IP addresses, operating system version, and CPU architecture. The server assigns each infected device a unique Executor ID, turning it into a managed node in the botnet.
Each infected node, called an Executor, receives a small chunk of a larger distributed scanning task. The attacker distributes these chunks across hundreds of devices simultaneously, enabling fast, distributed reconnaissance across the internet while keeping any single device’s network footprint minimal. The botnet supports port scanning, service identification, subdomain enumeration, and traffic tunneling — all while keeping the attacker’s true identity hidden behind layers of compromised home routers.
Two Versions, One Dangerous Goal
AryStinger comes in two distinct versions that share the same core logic. The RTL819X version is written in C and is a lean build specifically tailored for old routers. It focuses mainly on DNS scanning and tunnel functionality.
The Standard version is written in Go and targets NAS devices. It features a broader capability set including intranet scanning, script execution, and the ability to run payloads written in Go, Java, or Python. The Standard version’s ScriptWork feature is particularly flexible, allowing attackers to push raw code directly to infected devices without needing to compile separate binaries for different hardware platforms.
Both versions establish persistent backdoors on infected devices, either through a lightweight SSH server (dropbear) or through gs-netcat, giving attackers long-term remote access that survives reboots in many cases.
Geographic Distribution and Affected Devices
The infected devices are predominantly D-Link DIR-850L routers, accounting for approximately 75 percent of all known infections. The geographic distribution of compromised devices skews heavily toward Asia:
- South Korea: 48.45% of infections
- China: 31.82%
- Sweden: 6.40%
- Malaysia: 3.50%
- Singapore: 2.50%
The full scale of the operation remains unknown since current infection counts only cover RTL819X routers and do not yet reflect how many NAS devices may also be compromised.
Indicators of Compromise
Key IOCs identified by Qianxin XLab include:
- Scanner IP: 107[.]150[.]106[.]14 (used to spread AryStinger via CVE-2013-3307 and CVE-2016-5681)
- C2 Domains: opi7[.]com, xook.ajb8[.]com, xonice.ahb8[.]com
- Malicious processes: syswapd0h, syswapd0w
- Malicious files: unexpected binaries in /tmp/bin directory
Defensive Recommendations
If you operate any Linksys or D-Link routers from the 2012–2015 era, particularly models based on the RTL819X chipset such as the D-Link DIR-850L, you should treat those devices as potentially compromised and act immediately:
- Replace end-of-life routers — any device whose firmware has not received updates in years should be replaced or taken offline without delay. No patch will be forthcoming for these unsupported models.
- Monitor outbound traffic — check network traffic for any communication with the C2 domains listed above.
- Inspect device processes and files — check the /tmp/bin directory for unknown files and verify whether processes named syswapd0h or syswapd0w are running.
- Segment IoT devices — place routers and NAS devices on isolated network segments to limit their ability to pivot into internal infrastructure.
- Disable remote management interfaces — ensure the admin web interface is not exposed to the public internet on any network device.
AryStinger is a clear reminder that legacy network devices with known unpatched vulnerabilities continue to serve as a reliable entry point for threat actors. As long as millions of outdated routers remain connected worldwide, campaigns like this will continue finding fresh recruits for their botnet armies.