A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic.
Researchers at Qianxin’s XLab threat intelligence team say that the malware converts infected devices into remotely controlled “executors” that can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker.
“The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” XLab researchers note.
“With this distributed-like design, the attacker can efficiently complete the early ‘footprinting’ activities, thereby providing strong assurance for the smoothness and success rate of subsequent intrusion operations.”
Apart from using compromised routers as a springboard for malicious operations, XLab warns that the malware can also tamper with DNS settings, hijacking the user’s browsing, and monitor and potentially steal all inbound and outbound network traffic.
Server distributing AryStinger scan jobs — Source: XLab
AryStinger exploits older flaws such as CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, targeting primarily D-Link DIR-850L and D-Link DIR-818LW routers.
The two router models were previously targeted by the AVrecon malware botnet that Lumen disrupted in 2023.
Qianxin’s telemetry data shows that almost half of all infections are located in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).
Two Malware Variants
XLab researchers found two variants of the AryStinger malware: a C-based version targeting mostly outdated routers, and a Go-based one that focuses on NAS systems, but currently with a far more limited reach.
Infected router establishing C2 communication — Source: XLab
The NAS version is the more advanced of the two, featuring additional capabilities such as IP and DNS scanning, command execution, payload execution, and internal network reconnaissance through the integration of open-source penetration testing tools.
The researchers noted that AryStinger’s distributed DNS-scanning infrastructure could potentially be repurposed to generate large volumes of DNS queries against resolvers, although they did not observe any such attacks.
Regarding the NAS version’s code execution capabilities, XLab says there is support for Shell commands, as well as Go, Java, and Python source code. However, using source code instead of compiled binaries carries limitations, as compilation requires language runtimes on the host and the process introduces noise that can break stealth.
The researchers did not attribute AryStinger to any known activity cluster, stating that “many mysteries surrounding AryStinger remain to be solved.”
Recommendations
Owners of end-of-life routers should replace them with new, actively supported models, apply the latest available firmware updates, change the default administrator account password, and disable remote management panels.
