A newly discovered malware botnet named AryStinger has infiltrated over 4,000 outdated routers, repurposing them into proxies for malicious activities. According to researchers at Qianxin’s XLab threat intelligence team, this malware transforms infected devices into remotely controlled “executors” capable of executing tasks such as scanning, proxying, tunneling, command execution, and more on behalf of the attacker.
The XLab researchers highlight that the attacker can efficiently distribute scanning tasks to different Executors for parallel execution, enhancing the success rate of subsequent intrusion operations. The distributed-like design of AryStinger enables the attacker to complete early “footprinting” activities with ease.
Aside from leveraging compromised routers for malicious operations, XLab warns that AryStinger can manipulate DNS settings, intercepting user browsing activities, and covertly monitoring and potentially extracting all inbound and outbound network traffic.
AryStinger exploits vulnerabilities in older routers, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, primarily targeting D-Link DIR-850L and D-Link DIR-818LW routers. These same models were previously targeted by the AVrecon malware botnet, which was disrupted by Lumen in 2023.
Telemetry data from Qianxin shows that nearly half of all infections are concentrated in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).
XLab researchers identified two variants of AryStinger: a C-based version focusing on outdated routers and a Go-based version targeting NAS systems, albeit with limited reach at present.
The NAS variant of AryStinger is more advanced, featuring capabilities such as IP and DNS scanning, command execution, payload execution, and internal network reconnaissance through integrated open-source penetration testing tools.
While the DNS-scanning infrastructure of AryStinger could potentially be repurposed for extensive DNS query attacks, XLab did not observe any such attacks.
Regarding code execution capabilities, the NAS version supports Shell commands, as well as Go, Java, and Python source code. However, using source code instead of compiled binaries presents limitations, including the need for language runtimes on the host and potential noise that could compromise stealth.
The researchers have not attributed AryStinger to any known activity cluster, emphasizing that many mysteries surrounding the malware remain unresolved.
Owners of end-of-life (EoL) routers are advised to replace them with actively supported models, apply the latest firmware updates, change default administrator passwords, and disable remote management panels to mitigate risks.
Security teams detect only 14% of successful attacks, allowing the majority to go unnoticed in your environment. The Picus whitepaper demonstrates how breach and attack simulations enhance the effectiveness of your SIEM and EDR systems in detecting threats.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
