A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin’s XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising.
The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator.
Each router becomes a footprinting node and a relay that hides where the real attacker is.
Old chips, older bugs
The campaign goes after routers built on Realtek’s RTL819X chips, hardware that was current around 2012 to 2015. XLab first saw it on March 12, 2026, spreading from a single IP, 107.150.106.14.
The binary it pushed was a Linux ELF that no engine on VirusTotal flagged, exploiting two flaws from another era: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones.
The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent. By geography, it skews to South Korea (around 48 percent) and China (around 32 percent), then Sweden, Malaysia, and Singapore.
A second strain appeared on April 26, aimed at QNAP NAS boxes through CVE-2025-11837, a code injection flaw in QNAP’s Malware Remover. The bug was shown at Pwn2Own Ireland 2025 and patched in November 2025, months before this strain began using it.
The way in is the appliance’s own malware-removal tool. XLab hasn’t measured the NAS infections, so the 4,300 figure covers RTL819X routers only.
Two builds, same job
One build is lean, and one is fuller. The router build is written in C and kept light, because the old hardware can’t run more, so it sticks to mass DNS scanning and traffic tunneling. The NAS build is written in Go and does much more. It scans internal and external networks and runs recon tools like fscan, ksubdomain, and httpx. A “ScriptWork” task executes attacker-supplied Go, Java, or Python source code on the box, so the operator never has to compile a binary per target.
Each infected node, which XLab calls an Executor, talks to its C2 over HTTP/HTTPS, with Protobuf-encoded traffic obfuscated by a simple XOR (the Go build adds gzip). The operator splits a large scan into chunks and spreads them across the fleet, footprinting in parallel.
XLab says the same DNS scanning can be aimed at resolvers to generate denial-of-service traffic. Persistence comes from a Dropbear SSH server on a fixed port, 2332 on routers, or gs-netcat on NAS. The hardcoded key, sh_#@!_2024_secret, carries a “2024” that may point to a 2024 start, though XLab can’t confirm it.
Where this fits
The shape is familiar. In May 2025, the FBI and Justice Department tore down the 5socks and Anyproxy services, which had turned years-old Linksys and Cisco routers running TheMoon malware into residential proxies sold by the month. The espionage version looks much the same.
Mandiant has tracked operational relay box networks, or ORBs: meshes of compromised end-of-life routers and IoT that state actors use to scan and relay while staying hard to trace. Recent router ORBs like LapDogs farm devices through n-day bugs the way AryStinger does.
AryStinger isn’t pinned to anyone yet, and XLab says it’s still working on who is behind it. What’s clear is the model: forgotten hardware, ancient CVEs, turned into quiet infrastructure for the opening moves of an intrusion.
What to do
If you run any of the affected gear, the checks are simple. Look for outbound connections to AryStinger’s C2 and download domains (the ajb8.com and related hosts in XLab’s IOC list), check /tmp/bin for binaries you didn’t put there, and look for processes named syswapd0h or syswapd0w.
The durable fix is the one everyone keeps repeating: retire end-of-life routers that no longer get firmware, and turn off remote administration on anything exposed. A box that stopped getting patches in 2016 is not going to start now.
