.webp?ssl=1 "AryStinger Botnet Compromises 4,300 Routers for Global Proxy")
A newly surfaced cyber threat known as the AryStinger botnet has stealthily commandeered over 4,300 routers worldwide, covertly transforming them into attack proxies. This operation leverages longstanding vulnerabilities to establish a network for reconnaissance, remarkable for its ability to evade standard security measures.
Exploitation of Old Vulnerabilities
The AryStinger campaign was first detected on March 12, 2026, when a suspicious IP was flagged by a threat monitoring system. It was disseminating malware via router vulnerabilities CVE-2013-3307 and CVE-2016-5681, affecting certain Linksys and D-Link models. These routers, due to their outdated security, allowed the malware to remain undetected by major scanning platforms.
Research by Qianxin XLab, shared with Cyber Security News, unveiled this attack focusing on routers built with RTL819X chips, prevalent from 2012 to 2015. The team later found a sample targeting NAS devices via another vulnerability, CVE-2025-11837, leading to the identification of the AryStinger malware family.
Functionality Beyond Conventional Botnets
Unlike typical botnets used for DDoS attacks or cryptocurrency mining, AryStinger is crafted for strategic data gathering and as a springboard for further network intrusions. Compromised routers act as ‘ghost nodes,’ masking attackers’ locations while probing other networks.
A hardcoded encryption key within AryStinger, reading “sh_#@!_2024_secret,” indicates the campaign’s potential activity since 2024. The full extent of this operation remains uncertain, as current infection data primarily covers RTL819X routers, with NAS device impacts still being assessed.
Technical Specifics and Geographic Impact
Once a router is infected, it communicates with a command server, transmitting encrypted data like MAC and IP addresses, system versions, and CPU architecture. Each device is assigned a unique Executor ID, integrating it into the botnet for distributed reconnaissance tasks.
The botnet functionality includes port scanning, service identification, and traffic tunneling, effectively concealing the attackers’ identities. The majority of affected devices are D-Link DIR-850L routers, with South Korea and China being the most impacted countries.
AryStinger exists in two versions: a C-written RTL819X variant for older routers, and a Go-written standard version for NAS devices. These variants facilitate persistent backdoors, enabling attackers to maintain long-term access to compromised systems.
Protective Measures and Recommendations
Security experts advise users to scrutinize their network traffic for connections to identified threat domains and check for unknown files or processes on their devices. Outdated router firmware should prompt immediate device replacement or disconnection to mitigate risks.
Overall, the AryStinger botnet’s intricate design and global reach underscore the critical need for robust cybersecurity practices and timely updates to safeguard network infrastructure.
