Researchers have identified a previously undocumented botnet dubbed AryStinger that has compromised more than 4,000 legacy routers worldwide and repurposed them as attacker-controlled proxies for reconnaissance, tunneling, traffic interception, DNS tampering, and remote command execution. QiAnXin XLab said the campaign primarily targets outdated RTL819X-based devices, including D-Link DIR-850L and DIR-818LW routers, and also includes a newer Go-based variant aimed at NAS devices. Infections are concentrated in South Korea and China, with additional activity observed in Sweden, Malaysia, and Singapore.
The malware exploits long-known flaws including CVE-2013-3307 and CVE-2016-5681 on older Linksys and D-Link hardware, while the NAS-focused strain has been linked to CVE-2025-11837. XLab reported that AryStinger communicates with command-and-control servers over HTTP/HTTPS using Protobuf with XOR encryption, establishes persistence through Dropbear or gs-netcat, and appears designed less for DDoS or cryptomining than for building covert attack infrastructure. Researchers said attribution remains unclear and urged organizations and consumers to replace end-of-life routers, update firmware, change default administrator credentials, and disable remote management.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
A later report on the AryStinger campaign said the botnet had compromised more than 4,300 internet-facing devices, including older routers, NAS appliances, and embedded Linux systems. The update also reiterated that the malware is used for proxying, remote command execution, scanning, and persistence on neglected edge devices.
QiAnXin XLab publicly disclosed a previously undocumented botnet it named AryStinger, reporting that more than 4,000 legacy routers had been compromised worldwide. The report said the malware was being used primarily for proxying, tunneling, scanning, command execution, and reconnaissance rather than typical DDoS or cryptomining activity.
On April 26, 2026, researchers captured a related Go-based AryStinger variant targeting NAS devices. The NAS-focused strain exploited CVE-2025-11837 and was described as more advanced but with more limited spread than the router-focused variant.
QiAnXin XLab said it first observed the AryStinger campaign on March 12, 2026. The malware targeted outdated RTL819X-based routers by exploiting CVE-2013-3307 and CVE-2016-5681 to build attacker-controlled proxy and reconnaissance infrastructure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityaffairs.com
Open sourcethehackernews.com
Open sourcegovinfosecurity.com
Open sourcelinuxsecurity.com
Open sourcebleepingcomputer.com
Open sourceblog.xlab.qianxin.com
Open sourcecdn.plume.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.