AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network
8 min. read 
Published on
A newly documented botnet called AryStinger has infected more than 4,300 legacy routers and turned them into a distributed proxy and reconnaissance network for attackers.
The campaign was detailed by QiAnXin XLab, which said the malware mainly targets old router devices based on RTL819X series chips. The infected devices can scan networks, identify services, enumerate subdomains, tunnel traffic, and help attackers hide their real location.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign is not a typical router botnet built mainly for DDoS attacks or cryptomining. AryStinger appears designed for reconnaissance and attack preparation, making compromised home and small-office routers part of a wider intrusion support network.
Old Router Flaws Are Being Exploited Again
XLab said its network-wide threat monitoring system first detected the campaign on March 12, 2026, when IP address 107.150.106.14 was seen spreading an ELF malware sample through CVE-2013-3307 and CVE-2016-5681.
The CVE-2013-3307 entry describes an OS command injection issue affecting several older Linksys E-series routers. The CVE-2016-5681 entry describes a critical D-Link router buffer overflow that can allow remote code execution.
Many of the targeted devices are long past active support. That makes them attractive to attackers because owners may never receive new firmware fixes, even when the devices remain exposed to the internet.
| Target area | Observed detail | Why it matters |
|---|---|---|
| Legacy routers | RTL819X-based devices, mainly D-Link models | Old hardware often remains online without current security updates |
| Known flaws | CVE-2013-3307 and CVE-2016-5681 | Attackers can reuse old vulnerabilities against unpatched devices |
| NAS devices | Related samples used CVE-2025-11837 | The campaign may extend beyond routers |
| Botnet purpose | Scanning, proxying, tunneling, and task execution | Compromised devices can support later intrusions |
AryStinger Turns Routers Into Executor Nodes
After infection, AryStinger registers the compromised device with a command-and-control server. It sends device fingerprint data such as MAC address, IP information, operating system version, and CPU architecture.
The server then assigns the device an Executor ID. Each infected router becomes a managed worker node that can receive a small part of a much larger scanning or reconnaissance task.
This design lets attackers split work across many compromised devices at once. Instead of scanning from one obvious server, they can distribute activity through routers spread across different countries and networks.
- Runs distributed port scanning and service discovery.
- Supports DNS scanning and subdomain enumeration.
- Can act as a traffic tunnel or proxy.
- Helps attackers hide their real infrastructure.
- Can provide a foothold for deeper network intrusion.
D-Link Routers Make Up Most Known Infections
According to XLab’s infection data, the botnet had compromised at least 4,300 routers at the time of its report, and the number was still rising.
The known router infections were mostly D-Link devices. DIR-850L routers accounted for about 75% of the total, followed by DIR-818LW at about 13%. Other listed models included DIR-816L, DIR-818L, DWR-118, and DIR-817LW.
Geographically, XLab reported the highest known share in South Korea at 48.45%, followed by China at 31.82%, Sweden at 6.40%, Malaysia at 3.50%, and Singapore at 2.50%.
| Device or country | Share of known router infections |
|---|---|
| D-Link DIR-850L | 75% |
| D-Link DIR-818LW | 13% |
| Other listed D-Link models | 1.3% |
| Unknown devices | 18% |
| South Korea | 48.45% |
| China | 31.82% |
Two AryStinger Versions Target Different Devices
AryStinger has two main versions. The RTL819X version is written in C and targets older Linksys and D-Link routers. It is a lighter build focused mainly on DNS scanning and tunnel functions.
The Standard version is written in Go and targets NAS devices. It has a broader feature set, including internal and external network scanning, HTTP alive checks, remote command execution, and payload execution.
The Standard version was captured on April 26 and was linked to CVE-2025-11837. QNAP’s security advisory says the flaw affects Malware Remover 6.6.x and can let remote attackers bypass protection mechanisms and execute arbitrary code.
QNAP Fixed the NAS Vulnerability
The QNAP advisory lists CVE-2025-11837 as resolved in Malware Remover 6.6.8.20251023 and later. The company recommends updating Malware Remover through App Center.
The NVD entry for CVE-2025-11837 describes the issue as improper control of code generation and assigns it a critical CVSS 3.1 score of 9.8. That means exposed or outdated NAS systems should be checked quickly.
XLab said its 4,300-plus figure only reflects AryStinger infections on RTL819X-class routers. The number of infected NAS devices remains unknown, so the full size of the operation may be larger.
Why AryStinger Is Dangerous
AryStinger gives attackers infrastructure that looks like normal consumer or small-business traffic. That makes blocking and attribution harder because attack traffic can appear to come from ordinary routers.
A Malwarebytes analysis also notes that AryStinger can put device owners at risk, since a compromised router can expose privacy, security, and network integrity.
For attackers, infected routers can support early-stage reconnaissance before a larger intrusion. For device owners, the same compromise can slow networks, redirect traffic, tamper with DNS, and create a hidden path into the local network.
- Compromised routers can hide attacker traffic.
- Old firmware can leave devices permanently vulnerable.
- DNS tampering can redirect users to malicious destinations.
- Traffic tunneling can make the device part of another attack.
- Weak monitoring on routers gives attackers more time to operate.
How Users Can Check for AryStinger
Router owners and network teams should look for outbound traffic to the reported C2 and downloader domains. They should also inspect the /tmp/bin directory on exposed devices for unknown files.
XLab recommends checking for processes named syswapd0h or syswapd0w. Those process names were associated with the RTL819X version of AryStinger.
The NVD description of CVE-2016-5681 shows that the affected D-Link device list includes several router families, including DIR-850L, DIR-817, DIR-818LW, DIR-822, DIR-823, DIR-895L, DIR-890L, DIR-885L, DIR-880L, and DIR-868L variants. Owners of those models should confirm whether their firmware is current or whether the device has reached end of life.
Indicators of Compromise
The following indicators can help defenders search logs and devices for AryStinger activity. They should be used together with behavior-based detection because attackers can change infrastructure and sample hashes.
| Type | Indicator | Description |
|---|---|---|
| Scanner IP | 107.150.106.14 | IP used to spread AryStinger through older router vulnerabilities |
| C2 domain | opi7[.]com | AryStinger command-and-control server |
| C2 domain | xook[.]ajb8[.]com | AryStinger command-and-control server |
| C2 domain | xonice[.]ahb8[.]com | AryStinger command-and-control server |
| C2 domain | eixfi[.]ajb8[.]com | AryStinger command-and-control server |
| C2 domain | dybic[.]ajb8[.]com | AryStinger Standard version C2 |
| Tunnel C2 | sdkv1[.]dataexplore[.]cc | AryStinger tunnel command-and-control server |
| Tunnel C2 | sdkv1[.]dataexplore[.]co | AryStinger tunnel command-and-control server |
| Downloader domain | hgodpcx[.]auq8[.]com | Downloader server for AryStinger Standard version |
| Downloader domain | hgodpcx[.]ajb8[.]com | Downloader server for AryStinger RTL819X version |
| Downloader domain | io[.]ary2[.]com | Additional downloader domain |
| Process name | syswapd0h | AryStinger malicious process name for the RTL819X variant |
| Process name | syswapd0w | AryStinger malicious process name for the RTL819X variant |
| File name | nat_tunnel-linux-x86_64 | AryStinger tunnel tool binary |
| Hardcoded key | sh_#@!_2024_secret | Hardcoded XOR communication key reported by XLab |
Replace Unsupported Routers Where Possible
The safest fix for many affected routers is replacement. If a router has not received firmware updates for years, users should move to a supported model rather than rely on exposed outdated firmware.
The Linksys CVE-2013-3307 record shows how older web-management flaws can remain useful to attackers long after the original devices disappear from normal vendor support cycles.
Security teams should also review the NVD details for CVE-2025-11837 when assessing QNAP NAS exposure, since AryStinger’s Standard version targeted NAS devices through that vulnerability.
The broader lesson is simple. Edge devices that users forget about can become attacker infrastructure. A final review from Malwarebytes reaches the same practical conclusion: unsupported routers that remain online give attackers a durable place to hide.
FAQ
AryStinger is a botnet malware family that compromises legacy routers and some NAS devices. It turns infected systems into proxy and reconnaissance nodes that can scan networks, tunnel traffic, and help attackers hide their real infrastructure.
QiAnXin XLab reported at least 4,300 infected RTL819X-class routers. The figure does not include the unknown number of NAS devices that may also be affected.
Known infections mostly involve D-Link routers, especially the DIR-850L and DIR-818LW. XLab also captured a Standard version targeting NAS devices through CVE-2025-11837.
AryStinger can register the device with a C2 server, receive scanning tasks, perform port and DNS scanning, identify services, tunnel traffic, proxy attacker activity, and support remote management channels.
Users should update router and NAS firmware, update QNAP Malware Remover where applicable, check for suspicious processes such as syswapd0h and syswapd0w, review outbound traffic to reported domains, and replace routers that no longer receive security updates.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages