AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure
AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.
AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.
Background of AryStinger
First detected by QiAnXin's XLab on March 12, 2026, the malware had already infected over 4,300 devices globally before any security product registered a detection. A second, more capable Go-based build targeting QNAP NAS devices emerged in April 2026, confirming active, ongoing development.
XLab attributed the name AryStinger to a hardcoded source code path within the binary, indicating the project
was internally designated Ary-Attack. A second embedded artifact, the XOR encryption key
sh_#@!_2024_secret suggests the campaign may have originated as early as 2024, predating XLab's
March 2026 discovery by up to two years.
AryStinger designates each compromised device an Executor. The operator distributes reconnaissance tasks across the Executor fleet for parallel execution, with each node assigned a discrete portion of the scan space. Results are returned to the C2 server, while all scan traffic appears to originate from the infected device's residential IP address, effectively defeating blocklist-based attribution and detection.
XLab validated this architecture through a controlled honeypot deployment. The test device received a subdomain
brute-force task for the .ba top-level domain at an offset of 11,654,000,000, placing it
approximately 12% into the full length-7 subdomain enumeration space. The remaining scan ranges were distributed
across other nodes in the fleet simultaneously.
Vulnerability Details
| CVE ID | CVSS Score | EPSS Score | Affected Products | Vulnerability Type |
|---|---|---|---|---|
| CVE-2013-3307 | 8.3 (High) | 5.36% | Linksys E-Series Routers | OS Command Injection |
| CVE-2016-5681 | 9.8 (Critical) | 11.93% | D-Link DIR-Series Routers | Stack-Based Buffer Overflow |
| CVE-2025-11837 | 8.1 (High) | 0.77% | QNAP NAS (Malware Remover component) | Code Injection |
Attack Methodology
-
Phase 1: Target Identification
Attackers identify "forgotten" internet-facing hardware, specifically targeting legacy routers and NAS devices built on Realtek RTL819X chips. These devices, prevalent between 2012 and 2015, are prioritized because they are no longer supported with security updates. -
Phase 2: Vulnerability Exploitation
The threat actors leverage ancient N-day vulnerabilities to gain unauthorized access. Primary exploits include CVE-2013-3307 (affecting Linksys) and CVE-2016-5681 (affecting D-Link), which allow for remote code execution without requiring valid credentials. -
Phase 3: Payload Implantation
Following successful exploitation, a lightweight Linux binary (referred to as the "stinger" bot) is deployed. For more capable hardware like NAS devices, a more robust Go-based version is used to ensure cross-platform compatibility and additional functional depth. -
Phase 4: C2 Communication and Obfuscation
The infected node registers with a Command-and-Control (C2) server using HTTP/HTTPS protocols. To evade detection by security monitoring, the malware utilizes Protobuf-encoded traffic and XOR encryption to hide its configuration and operational instructions. -
Phase 5: Distributed Reconnaissance
Once integrated into the botnet, the devices act as "Executors" for large-scale reconnaissance tasks. This includes performing mass DNS scanning, service identification, and subdomain enumeration, effectively mapping out potential targets for future intrusions. -
Phase 6: Traffic Tunneling
The malware activates its proxy functionality, transforming the compromised hardware into a traffic relay node. This allows the attackers to tunnel malicious traffic through legitimate residential or business IP addresses, effectively masking the true origin of their activities. -
Phase 7: Intrusion Support
The botnet functions as a global Operational Relay Box (ORB) network. It serves as an "attack springboard" or "invisible listening device," providing the stealthy infrastructure needed to support secondary intrusion operations and stay hidden from mainstream security engines.
Indicators of Compromise (IOCs)
C2 and Distribution Domains
- ajb8[.]com
- dataexplore[.]cc
- dataexplore[.]co
Malicious IP Address
- 107.150.106[.]14
Malicious Process Names
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1584.008 | Network Devices | Resource-Development |
| T1046 | Network Service Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial-Access |
| T1071.001 | Web Protocols | Command-And-Control |
| T1090.002 | External Proxy | Command-And-Control |
| T1557 | Adversary-in-the-Middle | Credential-Access |
| T1059 | Command and Scripting Interpreter | Execution |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1583.005 | Botnet | Resource-Development |
Mitigation
- Decommission end-of-life hardware. RTL819X-based routers have not received firmware updates since approximately 2015. CVE-2013-3307 and CVE-2016-5681 will not be patched on these devices. Replacement with actively supported hardware is the only viable remediation.
- Apply the QNAP CVE-2025-11837 patch immediately. A vendor patch has been available since November 2025. AryStinger operationalized this vulnerability within five months of its release. Unpatched QNAP devices with the Malware Remover component exposed should be treated as a critical remediation priority.
-
Audit edge devices for AryStinger indicators. Review network egress logs for connections to
ajb8.com,dataexplore.cc, anddataexplore.co. Inspect accessible router and NAS file systems for unauthorized binaries under/tmp/binand processes namedsyswapd0horsyswapd0w. An SSH listener on port 2332 not provisioned by the administrator is a confirmed infection indicator.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.