AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

Staff Editor 2026-06-22
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html

Publish Date: 2026-06-22 02:57:00

Source Domain: thehackernews.com

Swati KhandelwalJun 22, 2026IoT Security / Vulnerability

A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin’s XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising.

The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator.

Each router becomes a footprinting node and a relay that hides where the real attacker is.

Old chips, older bugs

The campaign goes after routers built on Realtek’s RTL819X chips, hardware that was current around 2012 to 2015. XLab first saw it on March 12, 2026, spreading from a single IP, 107.150.106.14.

The binary it pushed was a Linux ELF that no engine on VirusTotal flagged, exploiting two flaws from another era: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones.

The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent. By geography, it skews to South Korea (around 48 percent) and China (around 32 percent), then Sweden, Malaysia, and Singapore.

A second strain appeared on April 26, aimed at QNAP NAS boxes through CVE-2025-11837, a code injection flaw in QNAP’s Malware Remover. The bug was shown at Pwn2Own Ireland 2025 and patched in November 2025, months before this strain began using it.

The way in is the appliance’s own malware-removal tool. XLab hasn’t measured the NAS infections, so the 4,300 figure covers RTL819X routers only.

Two builds, same job

One build is lean, and one is fuller. The router build is written in C and kept light, because the old hardware can’t run more, so it sticks to mass DNS scanning and traffic tunneling. The NAS build is written in Go and does much more. It scans internal and…

Source

More Stories

Anthropic’s Mythos AI broke into almost all NSA classified systems in hours

Anthropic’s Mythos AI broke into almost all NSA classified systems in hours

Staff Editor 2026-06-22
Five Eyes cybersecurity warning: Why AI is accelerating cyber risk and what business leaders must do now

Five Eyes cybersecurity warning: Why AI is accelerating cyber risk and what business leaders must do now

Staff Editor 2026-06-22
Klue hack results in data breach at several cybersecurity firms

Klue hack results in data breach at several cybersecurity firms

Staff Editor 2026-06-22

Terms and Conditions - Privacy Policy