The AryStinger malware is exploiting outdated home routers, repurposing them into a distributed reconnaissance and proxy network. According to QiAnXin’s XLab, this malware has already infected at least 4,300 routers, with numbers continuing to rise.
Understanding AryStinger’s Functionality
Unlike typical botnets used for DDoS attacks, AryStinger is designed for pre-intrusion activity. The infected routers scan online resources, identify services, map subdomains, and relay traffic to mask the true origin of the attacker. These routers serve as nodes in a network, providing a veil of anonymity for cybercriminals.
The campaign targets routers with Realtek’s RTL819X chips, prevalent between 2012 and 2015. The spread began on March 12, 2026, from the IP address 107.150.106.14. The malware exploits older vulnerabilities, specifically CVE-2013-3307 in Linksys and CVE-2016-5681 in D-Link models, primarily affecting D-Link DIR-850L devices in regions like South Korea and China.
Expansion to QNAP NAS Devices
On April 26, 2026, a variant targeting QNAP NAS devices emerged using CVE-2025-11837, a vulnerability in QNAP’s Malware Remover tool. This vulnerability was demonstrated at Pwn2Own Ireland in 2025 and addressed later that year. However, the malware leverages the tool’s flaw to infiltrate systems, although the extent of NAS infections remains unquantified.
The malware is deployed in two versions: a lightweight C build for routers focusing on DNS scanning and traffic tunneling, and a more complex Go build for NAS devices that performs extensive network reconnaissance. These builds allow attackers to utilize compromised devices without compiling binaries for each target.
Implications and Precautions
The structure of this campaign is reminiscent of previous espionage operations dismantled by authorities, such as the FBI’s takedown of 5socks and Anyproxy services. These services used compromised routers as residential proxies, similar to AryStinger’s approach.
Though the perpetrators behind AryStinger remain unidentified, its reliance on outdated hardware and software vulnerabilities is clear. Users of affected devices should monitor for unusual outbound connections and check for unauthorized binaries or processes. The recommended course of action is to retire unsupported routers and disable remote administration features to mitigate future risks.
Maintaining up-to-date firmware and replacing legacy hardware are crucial steps in securing networks against threats like AryStinger. As cyber threats evolve, staying informed and proactive is essential for protecting digital infrastructure.
