AryStinger Botnet Hijacks 4,000+ Routers Worldwide
Hoplon InfoSec
21 Jun, 2026
AryStinger Botnet Hijacks 4,000+ Outdated Routers to Build a Global Attack Network
Security researchers at Qianxin's XLab have uncovered a new botnet called AryStinger that has already taken over more than 4,300 outdated D-Link and Linksys routers, mostly the DIR-850L and DIR-818LW models. Instead of using these devices for the usual DDoS or crypto mining jobs, the attacker turns them into "Executors," a distributed network of scanning and proxy nodes that quietly do reconnaissance work ahead of bigger intrusions.
A second, more advanced version written in Go is now targeting QNAP NAS devices through a freshly patched vulnerability. AryStinger can hijack DNS settings, snoop on all your traffic, and hand control of your network to a stranger on the other side of the world, all while staying nearly invisible to antivirus engines. Nobody has linked it to a known hacking group yet.
At a Glance: What You Need to Know
| Detail | Information |
|---|---|
| Malware name | AryStinger |
| Discovered by | Qianxin XLab (researchers Alex.Turing and Acey9) |
| First detected | March 12, 2026 |
| Infected devices | 4,300+ routers confirmed, still rising |
| Variants | RTL819X (C language, routers) and Standard (Go language, NAS) |
| Main targets | D-Link DIR-850L, DIR-818LW, plus QNAP NAS devices |
| Vulnerabilities used | CVE-2013-3307, CVE-2016-5681, CVE-2025-11837 |
| Top infected countries | South Korea, China, Sweden, Malaysia, Singapore |
| Core capability | Distributed scanning, DNS hijacking, traffic interception, remote command execution |
| Attribution | Unknown, no link to a known threat group yet |
If you only remember one thing from this article, let it be this: if your home or office is still running a D-Link DIR-850L or DIR-818LW router that hasn't seen a firmware update in years, there is a real chance it has already been turned into someone else's attack tool.
What is the AryStinger Botnet
AryStinger is the name security researchers gave to a previously unseen piece of malware that quietly takes over old, unsupported routers and storage devices and turns them into remote-controlled helpers for a hacker's larger operations. XLab spotted the activity for the first time on March 12, 2026, when their threat detection systems caught an IP address spreading a malicious file through two router vulnerabilities that are well over a decade old.
What makes AryStinger stand out is its purpose. Most router botnets exist to flood websites with junk traffic or to mine cryptocurrency in the background. AryStinger does something quieter and arguably more dangerous. It builds an army of devices that can scan the internet, map out targets, hide an attacker's identity, and prepare the ground for the real break-in that comes later.
Researchers refer to this early stage of an attack as footprinting, basically the digital version of casing a building before a robbery. AryStinger automates that process at a massive scale, using thousands of innocent-looking home routers as the eyes and hands doing the work.
Each infected device becomes what XLab calls an Executor. Think of it as a foot soldier that checks in with a command center, waits for instructions, and carries them out without the device owner ever noticing a thing.
Core Capabilities of AryStinger
- Splitting large scanning jobs into small pieces and spreading them across thousands of devices
- Building tunnels to proxy and forward network traffic, hiding the attacker's real location
- Running shell commands and source code remotely on the infected device
- Installing a persistent backdoor through tools like dropbear or gs-netcat
- Hijacking DNS settings to redirect a victim's browsing
- Silently monitoring all inbound and outbound traffic on the device
How AryStinger Actually Works
Once a router or NAS device gets infected, the malware goes through a fairly methodical setup process before it starts doing anything useful for the attacker.
First comes authentication. The bot collects fingerprint details from the device, things like its MAC address, internal and public IP addresses, operating system version, and processor architecture. This information is packaged up, encrypted, and sent to a command and control server. In return, the server hands back a unique Executor ID that the device will use to identify itself in every future conversation.
Next, the malware quietly installs a lightweight SSH server called dropbear (or, in the more advanced variant, a tool called gs-netcat) and configures the router's firewall rules to allow traffic through a specific port. This step builds a permanent remote login channel that survives even if the malicious process is killed, giving the attacker a way back in whenever they want.
From there, the device enters a waiting state, periodically checking in with the command server for new tasks. This is where the distributed scanning model comes into play. Rather than running one big scan from a single server, which is slow and easy to spot, the attacker breaks a massive scanning job into hundreds or thousands of small slices and hands each slice to a different Executor.
One router might be told to brute-force a narrow range of subdomains under a particular top-level domain, while another handles a completely different chunk. None of the individual pieces look alarming on their own, but together they let the attacker map huge sections of the internet in a fraction of the time it would normally take, all while making the traffic appear to come from thousands of separate, ordinary home connections instead of one suspicious source.
This kind of parallel, crowd-sourced reconnaissance is exactly the kind of activity that attack surface management programs are built to catch early, since it often shows up as small, scattered probing attempts rather than one obvious spike.
The Two Faces of AryStinger
XLab found that AryStinger actually comes in two distinct builds, written in different programming languages and aimed at different kinds of hardware. They behave the same way under the hood, but one is a stripped-down version built to run on weak old routers, while the other is a fuller-featured tool aimed at more capable storage devices.
| Feature | RTL819X Version | Standard Version |
|---|---|---|
| Language | C | Go |
| Target devices | Legacy routers (D-Link, Linksys) | NAS devices |
| Spreads through | CVE-2013-3307, CVE-2016-5681 | CVE-2025-11837 |
| Task types | 1 (domain scanning) | 6 (script execution, DNS scan, HTTP scan, domain scan, IP scan, alive check) |
| Code execution | Not supported | Shell, Go, Java, Python source code |
| Persistence tool | dropbear | gs-netcat |
| Internal network scanning | No | Yes, via integrated pentest tools |
| Samples observed (as of this report) | 32 versions | 22 versions |
The reason for two separate builds comes down to hardware limits. Old routers running on RTL819X chipsets, which were popular roughly between 2012 and 2015, simply don't have the processing power or storage to run a full-featured Go binary. So the attacker scaled the malware down to its essential functions in lightweight C code for routers, while reserving the more advanced capabilities for the NAS-targeting Standard build, which runs on hardware with far more horsepower. XLab's analysis actually confirmed that the RTL819X version is a trimmed-down port of the Standard version's logic, not a separate project entirely.
The Vulnerabilities Behind the Attack
AryStinger doesn't rely on anything exotic. It exploits flaws that have been publicly known for years, in some cases over a decade, which says a lot about how many devices out there are still running ancient, unpatched firmware.
| CVE | Year Disclosed | Affected Devices | What It Does |
|---|---|---|---|
| CVE-2013-3307 | 2013 | Linksys X3000 and related models | Allows attackers to manipulate device parameters remotely, opening the door to unauthorized command execution |
| CVE-2016-5681 | 2016 | D-Link DIR-850L, DIR-890L, DIR-880L, DIR-868L, DIR-818L(W) | A stack-based buffer overflow that lets a remote attacker execute arbitrary code on the device |
| CVE-2025-11837 | 2025 | QNAP NAS devices running the Malware Remover app | A command injection flaw, demonstrated publicly at the Pwn2Own Ireland competition, that lets an attacker run arbitrary commands through the security tool itself |
There's a bit of dark irony in that last one. CVE-2025-11837 sits inside QNAP's own Malware Remover tool, the very software meant to clean infections off a NAS device. QNAP patched it quickly after it was demonstrated at Pwn2Own, but plenty of devices out there are still running the vulnerable version.
The older two CVEs tell a different story, one about patch abandonment rather than fresh disclosure. CVE-2016-5681 has had an official fix available from D-Link since 2016. The fact that it's still being actively exploited a decade later is not a failure of the patch, it's a failure of replacement.
These routers reached End of Life status years ago: D-Link's own records show the DIR-818L and DIR-818LW were retired from support back in May 2017, and the DIR-850L followed in March 2020. Once a device hits End of Life, it stops receiving firmware updates permanently, no matter how serious a newly discovered bug might be. Anyone still running one of these models is, by definition, running a device the manufacturer has already washed its hands of.
A proper vulnerability management process is built precisely to catch this kind of long-tail risk, flagging devices that have quietly aged out of support before an attacker finds them first.
Who's Actually Getting Hit
The devices most affected by AryStinger are overwhelmingly D-Link models, with one in particular standing far above the rest.
| Device Model | Share of Infections |
|---|---|
| DIR-850L | 75% |
| DIR-818LW | 13% |
| DIR-816L / DIR-818L / DWR-118 / DIR-817LW | 1.3% |
| Unidentified | 18% |
Both the DIR-850L and DIR-818LW have a history here. The FBI flagged these exact same models back in 2023 as part of its investigation into the AVrecon botnet, a separate malware campaign that hijacked tens of thousands of routers worldwide to sell their bandwidth as residential proxies through a service called SocksEscort. Lumen's threat intelligence team helped disrupt that operation in 2023, but the underlying problem (millions of old, unpatched routers still plugged into people's networks) never actually went away. AryStinger is proof of that. Different malware family, different operators as far as anyone can tell, but the exact same hardware getting hit all over again, years later.
That pattern matters. It tells you these vulnerable routers aren't a one-time target that got cleaned up and forgotten. They're a renewable resource for criminals. As long as the devices stay online, somebody will eventually find them and put them to use, whether that's this year's AryStinger or next year's unnamed successor.
Where the Infections Are Concentrated
| Country | Share of Infections |
|---|---|
| South Korea | 48.45% |
| China | 31.82% |
| Sweden | 6.40% |
| Malaysia | 3.50% |
| Singapore | 2.50% |
| Other regions | Remainder |
South Korea and China together account for roughly 80% of every known infection. That's a striking concentration, and it likely comes down to how these specific D-Link router models were distributed by ISPs and retailers in those markets over a decade ago. Once a particular router model ships in large volume through a regional carrier, it tends to stay in homes and small offices for years past its support window, simply because it still technically works and nobody thinks to replace hardware that "isn't broken."
What This Means for the People Using These Devices
The real-world consequences of an AryStinger infection break down into three categories, and none of them are minor.
Silent surveillance. Once a router is compromised, the attacker sits in the middle of every connection passing through it. Online banking sessions, work logins, private messages, all of it can be observed in transit. This is the kind of access that makes credential theft almost trivially easy.
DNS hijacking. AryStinger can rewrite a router's DNS settings without the owner's knowledge. That means every device on the network, phones, laptops, smart TVs, can be silently redirected to fake banking pages, phishing sites, or pages that try to install additional malware, all while the address bar shows what looks like a normal, trusted URL.
Becoming someone else's weapon. Perhaps the most uncomfortable part is that your router stops being just your problem. It becomes a launchpad. The attacker can route scans, intrusion attempts, or other malicious traffic through your connection, meaning if investigators ever trace an attack back to its source, that source is your home IP address, not the actual criminal sitting somewhere else entirely.
This is exactly the kind of layered risk that extended detection and response tooling is designed to catch, by correlating unusual outbound connections and DNS changes that a single device or a single alert might miss on its own.
Inside the NAS Variant: AryStinger's Most Capable Build
The Standard version of AryStinger, the one written in Go and aimed at NAS devices, is a noticeably more dangerous piece of software than its router-targeting sibling. It doesn't just scan and tunnel. It integrates real, well-known open-source penetration testing tools, including fscan, ksubdomain, httpx, and Tlsx, to perform serious internal network reconnaissance once it lands inside an environment. In practical terms, that means a single compromised NAS box sitting on a small business network could quietly map out every other device on that network, identify what's running on each one, and report all of it straight back to the attacker.
On top of that, this version supports remote execution of Shell commands as well as source code written in Go, Java, and Python. That flexibility is genuinely useful for an attacker, since they can write a small custom script on the fly and have it run on the infected device without needing to compile a separate binary for every possible processor architecture out there.
That flexibility comes with a tradeoff, though, and XLab's researchers were upfront about it. Running source code instead of a compiled binary means the device needs the right language runtime already installed, Python, Java, or Go, and if it's missing, the attacker has to download and install it first, which adds noise and time.
Source files also have to be written to disk in plain text, and the command used to launch the interpreter shows up clearly in system logs. Compared to a fileless binary payload that runs entirely in memory, this approach leaves a much bigger trail for security tools like EDR and HIDS to pick up on. It's a real limitation, even if the technique gives attackers more flexibility in the short term.
If you're running NAS devices anywhere in your environment, this is a strong argument for routine penetration testing on internal network segments, not just the perimeter, since this is precisely the kind of lateral reconnaissance a real attacker (or a piece of malware acting on their behalf) would attempt once inside.
The DNS Abuse Risk Nobody Has Seen Yet
There's one more angle XLab flagged that's worth taking seriously even though it hasn't happened, at least not that anyone has caught. AryStinger's domain-scanning task is functionally similar to a tool called massdns, designed to fire off huge volumes of DNS lookups very quickly across many machines at once.
That same distributed scanning infrastructure could, in theory, be redirected at a DNS resolver instead of a list of subdomains. Flood a resolver with millions of simultaneous lookup requests from thousands of different IP addresses, and you have the makings of a DNS-based denial-of-service attack, the kind that can knock domain resolution offline for an entire service or region. XLab was clear that they haven't observed this happening with AryStinger specifically. But the architecture is already sitting there, fully capable of it, which is exactly the kind of latent risk that should be on every defender's radar even before it gets weaponized.
Who's Behind AryStinger
Here's the honest answer: nobody knows yet. XLab's researchers were direct about this in their report, stating plainly that the campaign hasn't been tied to any previously known hacking group or activity cluster.
Normally, researchers attribute a new botnet to a known actor by spotting overlaps, shared command and control infrastructure, reused chunks of code, similar naming conventions, or operational patterns that match something seen before. With AryStinger, none of those signals have lined up yet. The malware's hardcoded encryption key contains the string "2024," which has led researchers to wonder out loud whether this operator has actually been active since 2024, quietly building infrastructure long before anyone noticed. That's speculation, not confirmation, but it's a reasonable question given how much groundwork goes into a botnet of this design.
For defenders, "attribution unknown" doesn't change much in practice. It just means there's no existing threat profile to lean on, no known playbook of "this group always does X next." You're defending against an unknown quantity, which honestly is the more common situation in cybersecurity than the headlines usually suggest.
How AryStinger Compares to Other Router and IoT Botnets
AryStinger isn't the first or only botnet built on top of compromised routers and IoT gear, and it helps to see where it sits relative to a few names that have made headlines recently.
| Botnet | Primary Targets | Main Purpose | Scale | Status |
|---|---|---|---|---|
| AryStinger | Legacy D-Link/Linksys routers, QNAP NAS | Distributed scanning, proxying, reconnaissance | 4,300+ devices (rising) | Active, newly disclosed |
| AVrecon | Small office and home routers | Residential proxy network for SocksEscort | Tens of thousands at peak | Disrupted in 2023, legacy devices still at risk |
| Mirai (and descendants) | Wide range of IoT devices | DDoS attacks | Has spawned countless large-scale variants over the years | Variants still active today |
| AISURU | Home routers (Totolink and others) | Record-breaking DDoS, residential proxy services | Around 300,000 devices at peak | Active |
What sets AryStinger apart from most of this list is intent. Mirai-style botnets exist mainly to generate brute traffic for DDoS attacks. AISURU has leaned into both DDoS and proxy monetization. AryStinger, by contrast, is built almost entirely around reconnaissance and stealthy access, scanning, tunneling, mapping, command execution, the groundwork that comes before a more targeted intrusion rather than the loud, disruptive attack itself. That's arguably what makes it more concerning for enterprise defenders specifically, since it's built to support precision attacks rather than indiscriminate noise.
Why Old Routers Keep Coming Back as a Problem
It's worth stepping back and asking why this keeps happening. The honest answer is that End of Life doesn't mean a device stops working, it just means the manufacturer stops fixing it. A router that still connects to the internet just fine has no obvious reason, from a typical user's point of view, to be replaced. Nobody sees a blinking warning light when a firmware update silently stops being available.
For home users, the economics are simple: the device works, replacing it costs money, and the risk feels abstract until something actually goes wrong. For businesses, it's often worse, since a small branch office router or an old NAS box tucked in a closet can get forgotten entirely, sometimes for years, especially if IT staff turnover means nobody currently on the team even knows it's there. This is exactly the blind spot that security gap assessments are designed to surface, the unmanaged, unmonitored hardware that nobody has thought about since the day it was installed.
Why This Matters Even More for Businesses
It's tempting to file this under "home user problem," but that undersells the risk. Remote work has put consumer-grade routers, the exact kind AryStinger targets, directly on the edge of corporate networks in countless small offices and home offices. A NAS device used for shared file storage in a small business is an even more direct target, often holding sensitive client data, financial records, or backups.
There's also a supply chain angle worth thinking about. A compromised router or NAS sitting on a vendor's or partner's network can become a quiet entry point into a larger business relationship, the kind of indirect exposure that rarely shows up on a standard asset inventory. Organizations serious about this risk often bring in virtual CISO services specifically to build out the policies and oversight needed to track hardware lifecycle across distributed teams and third parties, something that's easy to overlook when nobody owns the problem full time.
How to Tell If You've Been Hit
There's no single alarm bell here, but a few signs are worth watching closely.
- Unusual outbound traffic, especially connections to unfamiliar domains, happening at odd hours or in regular automated bursts
- DNS settings on your router that you didn't change yourself
- A router or NAS that feels noticeably slower than usual, with no clear cause
- Unrecognized processes or open ports on a NAS device, particularly anything tied to SSH activity on a port you don't remember configuring
- New or unfamiliar admin accounts on the device's management panel
XLab specifically recommends checking for processes named syswapd0h or syswapd0w, along with any files sitting in a /tmp/bin directory, as direct indicators tied to AryStinger samples observed so far. If you find anything matching that description, treat the device as compromised and move straight to remediation.
If you're not confident reading through device logs and traffic patterns yourself, a digital forensic investigation can confirm whether a device has actually been compromised and trace how far the access may have spread into the rest of your network.
Mitigation and Defense Checklist
The official recommendations from both XLab and D-Link line up closely, and they're worth treating as non-negotiable rather than optional advice.
- Replace any End of Life router or NAS device with a currently supported model that still receives security updates
- Apply the latest available firmware immediately, if your device hasn't already aged past the point of receiving any
- Change the default administrator password to something strong and unique
- Disable remote management on the device unless you have a specific, ongoing reason to need it
- Segment IoT and networking devices onto a separate part of your network, away from sensitive systems and data
- Monitor outbound traffic for connections to unfamiliar domains or unusual data volumes
- Set up DNS monitoring so you're alerted the moment resolver settings change unexpectedly
- Run regular firmware update audits across every device on the network, not just the obvious ones like laptops and servers
- Apply NAS-specific hardening, including disabling unused services, restricting admin panel access by IP, and reviewing installed apps regularly
For organizations managing more devices than they can track by hand, automated attack surface management takes a lot of this manual checking off your plate, continuously scanning for exactly this kind of exposed, outdated hardware before it becomes someone else's entry point.
How Hoplon InfoSec Can Help
Old hardware sitting quietly on a network is one of the most common blind spots we see across both small businesses and larger enterprises. Our cyber resilience assessment service is built to surface exactly this kind of forgotten, unsupported device before an attacker finds it first, giving you a clear, prioritized picture of where your actual risk sits.
If you suspect a device on your network may already be compromised, our incident response and recovery team can move quickly to contain the threat, confirm the scope of access, and get your environment back to a verified clean state. And for teams that want ongoing visibility rather than a one-time check, security on demand experts can provide continuous monitoring without the overhead of building out a full in-house team.
Key Takeaways
AryStinger is a fresh reminder of an old problem that refuses to go away. Routers and NAS devices that quietly age past their support window don't stop working, they just stop being protected, and that gap is exactly where campaigns like this one thrive.
With over 4,300 devices already compromised and a more advanced NAS-focused variant actively spreading through a vulnerability patched only recently, this isn't a theoretical risk sitting in a research paper. It's an active campaign, right now, built specifically to stay hidden while it does the early groundwork for bigger intrusions down the line.
If there's one action worth taking away from this, it's a simple inventory check: walk through every router, NAS box, and piece of network hardware in your home or office and ask honestly whether it's still receiving updates from its manufacturer. If the answer is no, that device needs a plan, either replacement or, at minimum, isolation from the rest of your network, before it becomes somebody else's tool instead of yours.
References
- D-Link Support Announcement, SAP10503: DIR-818L / DIR-818LW / DIR-850L / DIR-860L End-of-Life Advisory
- D-Link Security Bulletin, CVE-2016-5681 Buffer Overflow Advisory
- QNAP Security Advisory, CVE-2025-11837, Malware Remover
Command Injection Vulnerability
Author: Radia writes on cybersecurity for Hoplon InfoSec, focusing on threat intelligence, malware campaigns, and network security. Her work translates technical research into practical guidance readers can actually use.
Frequently Asked Questions
Was this article helpful?
React to this post and see the live totals.
Share this :