“The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” Qianxin’s XLab researchers wrote, describing how a previously undocumented botnet turns thousands of old routers into a distributed toolset for attackers.
Qianxin XLab’s core finding
Researchers at Qianxin’s XLab threat intelligence team reported that a malware family they call AryStinger has infected more than 4,000 outdated routers worldwide and converted them into remotely controlled “executors.” According to the team, those executors perform scanning, proxying, tunneling, command execution and other activities on behalf of the attacker, enabling parallelized reconnaissance and follow-on intrusion activity.
How AryStinger operates on compromised devices
XLab’s analysis shows AryStinger can tamper with device DNS settings, redirecting and hijacking users’ browsing sessions, and silently monitor — and potentially steal — inbound and outbound network traffic. The researchers emphasize the malware’s distributed-like design: by dividing large scanning tasks into many small chunks and sending them to different executors, an attacker can complete early “footprinting” work more quickly and with higher success rates, laying groundwork for subsequent intrusions.
Targets, exploited flaws, and geographic footprint
AryStinger primarily targets older D‑Link models, specifically the DIR-850L and DIR-818LW, and exploits legacy vulnerabilities identified by CVE numbers: CVE-2013-3307, CVE-2016-5681 and CVE-2025-11837. Qianxin’s telemetry indicates nearly half of recorded infections are in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%). The researchers note these exact D‑Link models were previously targeted by the AVrecon botnet—an operation that Lumen said it disrupted in 2023.
Two variants: router-focused C build and a Go-based NAS variant
XLab identified two AryStinger variants. The C-based variant primarily affects outdated routers and is the one responsible for the majority of infections. The second, written in Go, targets NAS systems and currently has a much smaller footprint but carries more advanced capabilities. The NAS variant includes IP and DNS scanning, command and payload execution, and internal network reconnaissance by integrating open-source penetration-testing tools. For code execution the NAS variant supports Shell commands and can run Go, Java and Python source code, though XLab warned that using source code instead of compiled binaries has limitations: compilation on-host requires language runtimes and can introduce noise that undermines stealth.
Operational implications and detection challenges
The researchers flagged a dual risk: apart from serving as proxies for malicious traffic and reconnaissance, AryStinger’s distributed DNS-scanning infrastructure could be repurposed to generate large volumes of DNS queries against resolvers — a capability the team observed in design but did not see actively abused. XLab also reported it has not attributed AryStinger to any known activity cluster, writing that “many mysteries surrounding AryStinger remain to be solved.”
Compounding the problem, the source material includes a Picus whitepaper metric: security teams log 54% of successful attacks but alert on only 14%, a gap that illustrates why distributed, stealthy malware running on consumer devices can move through environments unseen.
What this means for owners of end-of-life routers and security teams
- Owners of end-of-life (EoL) routers: Qianxin recommends replacing EoL routers with actively supported models, applying the latest available firmware, changing default administrator passwords, and disabling remote management panels.
- Security teams and network operators: XLab’s findings underline the need to monitor for unexpected DNS changes, anomalous outbound proxy/tunneling traffic and distributed scanning patterns that may indicate a network of compromised edge devices being used as executors.
AryStinger illustrates a recurrent risk: inexpensive, long‑deployed devices with unpatched flaws can be repurposed into resilient, distributed toolsets that perform reconnaissance, traffic interception and covert command execution. Qianxin’s telemetry gives a clear geographic and device-level snapshot today; what remains unclear is who built AryStinger, how widespread the NAS variant will become, and whether the DNS-scanning capability will be weaponized at scale. For now the practical step—replace unsupported routers, patch, and harden administration settings—remains both immediate and concrete.
Source: BleepingComputer — AryStinger botnet infected thousands of D-Link routers worldwide
