4,300 infected home routers — and counting. That is QiAnXin XLab's tally of devices commandeered by a previously unseen malware family that turns end-of-life consumer gear into a distributed reconnaissance and proxy network rather than the usual DDoS swarm.
AryStinger’s purpose: reconnaissance, proxying, and covert relays
AryStinger is designed for the prelude to intrusion. Infected appliances act as footprinting nodes and relays: they scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, run commands on demand, and return results to the operator. Each compromised device can both scan targets and relay operator traffic so the attacker’s true origin is obscured. XLab emphasized that this is not a DDoS botnet in the classic sense but infrastructure for the reconnaissance stage of attacks.
What it targets and how it gets in
The campaign focuses on hardware built on Realtek’s RTL819X chips — routers common around 2012–2015. XLab first observed AryStinger on March 12, 2026, spreading from an initial IP, 107.150.106.14. The initial payload was a Linux ELF binary that, at the time of XLab’s analysis, was not flagged by any engine on VirusTotal.
AryStinger exploits long-standing vulnerabilities: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link models to build its router fleet. A second strain, observed starting April 26, 2026, targets QNAP NAS boxes via CVE-2025-11837, a code injection flaw in QNAP’s Malware Remover component that was demonstrated at Pwn2Own Ireland 2025 and patched in November 2025. XLab has not quantified NAS infections; the 4,300 figure covers RTL819X routers only.
Two builds, one mission: router C build and NAS Go build
XLab found two distinct builds. The router build is small, written in C, optimized for limited hardware: it focuses on mass DNS scanning and traffic tunneling. The NAS build, written in Go, is heavier and capable of broader reconnaissance: it scans internal and external networks and runs recon tools such as fscan, ksubdomain, and httpx. The NAS variant includes a "ScriptWork" task that executes attacker-supplied Go, Java, or Python source code on the appliance, allowing operators to run arbitrary code without compiling a per-target binary.
Command-and-control communications use HTTP/HTTPS with Protobuf-encoded payloads obfuscated by a simple XOR; the Go build additionally applies gzip. Operators split large scans into chunks and distribute them across the fleet so footprinting runs in parallel. XLab notes the same DNS scanning can be redirected at resolvers to generate denial-of-service traffic.
Persistence, indicators, and scale
Persistence mechanisms differ by platform: routers run a Dropbear SSH server on a fixed port, 2332, while NAS boxes use gs-netcat. A hardcoded key embedded in the malware — sh_#@!_2024_secret — contains "2024," which XLab suggests may hint at an earlier start date but cannot confirm. XLab also named process indicators and host artifacts to check for: look for processes named syswapd0h or syswapd0w, binaries in /tmp/bin you did not install, and outbound connections to AryStinger C2 and download domains such as ajb8.com listed in XLab’s IOC set.
Of the infected RTL819X devices XLab counted, about 75 percent are the D‑Link DIR-850L. Geographically the pool skews to South Korea (~48 percent) and China (~32 percent), with further infections in Sweden, Malaysia, and Singapore. XLab reports at least 4,300 infected routers and says that number was still rising at the time of its publication.
How Mandiant, law enforcement takedowns, and ORB models relate
XLab placed AryStinger in a familiar operational pattern. Mandiant has tracked operational relay box networks (ORBs): meshes of compromised end-of-life routers and IoT devices used by state actors to scan and relay while staying hard to trace. AryStinger follows the same model, farming devices through n-day or ancient CVEs. In May 2025, the FBI and Justice Department took down 5socks and Anyproxy, services that had converted aged Linksys and Cisco routers running TheMoon malware into residential proxies — an earlier commercialized variant of using end-of-life consumer gear as relays.
What this means for technologists, policymakers, and end users
- Technologists and security teams: prioritize checks XLab supplied — scan for outbound connections to C2 and ajb8.com-related hosts, inspect /tmp/bin for unfamiliar binaries, and look for processes syswapd0h or syswapd0w. Investigate any Dropbear servers on port 2332 or gs-netcat on NAS devices.
- Procurement leaders and network operators: inventory network edge devices for RTL819X-based routers and end-of-life appliances that stopped receiving firmware years ago. The router build’s lightweight C implementation and the NAS Go build’s ability to execute supplied scripts show attackers can adapt tools to constrained hardware.
- End users and small offices running the affected gear: retire devices that have not received firmware updates since 2016 or earlier and disable remote administration on exposed boxes. A durable fix, XLab advises, is to replace end-of-life routers rather than hope old firmware will be updated.
QiAnXin’s XLab has not attributed AryStinger to a named actor and continues investigating. The technical footprint they described — old chips, older bugs, compact C binaries for routers, Go-based NAS implants capable of running arbitrary scripts — leaves little doubt about the actor’s intent: to build a covert, distributed reconnaissance and proxy layer from forgotten consumer devices. The priority is practical and simple: identify affected devices, search for the process and network indicators XLab published, and retire or isolate any routers and NAS boxes that no longer receive vendor patches. XLab’s count of 4,300 RTL819X infections and its warning that the number is still rising underscore how quickly idle infrastructure can be repurposed into espionage tooling.
https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html
