AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network

A newly discovered botnet called AryStinger has quietly hijacked more than 4,300 routers across the globe, turning them into a silent army of attack proxies.

The threat actors behind this campaign are exploiting decade-old vulnerabilities to build a covert reconnaissance infrastructure, and what makes it particularly alarming is how well it manages to stay hidden from traditional security tools.

The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities, CVE-2013-3307 and CVE-2016-5681.

These flaws affect several Linksys and D-Link router models from over ten years ago. The malware was going completely undetected, with zero flags across major security scanning platforms.

Researchers from Qianxin XLab said in a report shared with Cyber Security News (CSN) that they identified and documented this unusual attack campaign, noting that it targets router devices built on the RTL819X series chips, which were most widely used between 2012 and 2015.

The team later captured a related sample on April 26 targeting NAS devices, spread through CVE-2025-11837. Based on its source code path and behavior, they named this new malware family AryStinger.

Unlike typical botnets that focus on DDoS attacks or mining cryptocurrency, AryStinger is built for something far more calculated. It is designed to quietly gather information and serve as a launch pad for deeper intrusions.

The infected router becomes a ghost node, helping attackers hide their real location while conducting reconnaissance on other networks.

The hardcoded encryption key found inside AryStinger reads “sh_#@!_2024_secret,” hinting that this campaign may have been active since at least 2024.

The full scale of the operation remains unknown, since current infection counts only cover RTL819X routers and do not yet reflect how many NAS devices may also be compromised.

AryStinger Botnet Hijacks 4,300+ Routers

Once AryStinger infects a router, it registers the device with a command-and-control server by sending device fingerprint data including MAC address, IP addresses, operating system version, and CPU architecture.

This data is encrypted before transmission. The server then assigns each infected device a unique Executor ID, turning it into a managed node in the botnet.

Each infected node, called an Executor, receives a small piece of a larger scanning task. The attacker distributes these chunks across hundreds of devices simultaneously, enabling fast and distributed reconnaissance across the internet.

The botnet supports port scanning, service identification, subdomain enumeration, and traffic tunneling, all while keeping the attacker’s true identity hidden.

The infected devices are predominantly D-Link DIR-850L routers, accounting for about 75 percent of all known infections. South Korea holds the highest share at 48.45 percent, followed by China at 31.82 percent, Sweden at 6.40 percent, Malaysia at 3.50 percent, and Singapore at 2.50 percent.

Two Versions, One Dangerous Goal

AryStinger comes in two distinct versions that share the same core logic. The RTL819X version is written in C and is a lean build made specifically for old routers, focusing mainly on DNS scanning and tunnel functionality.

The Standard version is written in Go and targets NAS devices, with a broader feature set including intranet scanning, script execution, and the ability to run payloads written in Go, Java, or Python.

The Standard version’s ScriptWork feature is particularly flexible, allowing attackers to send raw code directly to infected devices without compiling separate binaries for different platforms.

Both versions establish persistent backdoors on infected devices, either through a lightweight SSH server called dropbear or through gs-netcat, giving attackers long-term remote access.

Security researchers strongly recommend that users check their network traffic for any communication with the IOC domains in this report.

Users should also inspect the /tmp/bin directory on their device for unknown files, and verify whether processes named syswapd0h or syswapd0w are actively running.

Any router whose firmware has not received updates in years should be replaced or taken offline without delay.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.