AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure
AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.
AryStinger is a newly identified malware family that compromises end-of-life Realtek RTL819X-based routers and QNAP NAS devices, assembling them into a distributed reconnaissance proxy network. Unlike conventional IoT botnets oriented toward volumetric attacks, AryStinger functions exclusively as pre-intrusion infrastructure, conducting distributed port scanning, DNS enumeration, service fingerprinting, and traffic tunneling on behalf of its operators while concealing their origin behind thousands of compromised residential devices.
First detected by QiAnXin's XLab on March 12, 2026, the malware had already infected over 4,300 devices globally before any security product registered a detection. A second, more capable Go-based build targeting QNAP NAS devices emerged in April 2026, confirming active, ongoing development.
Background of AryStinger
XLab attributed the name AryStinger to a hardcoded source code path within the binary, indicating the project
was internally designated Ary-Attack. A second embedded artifact, the XOR encryption key
sh_#@!_2024_secret suggests the campaign may have originated as early as 2024, predating XLab's
March 2026 discovery by up to two years.
AryStinger designates each compromised device an Executor. The operator distributes reconnaissance tasks across the Executor fleet for parallel execution, with each node assigned a discrete portion of the scan space. Results are returned to the C2 server, while all scan traffic appears to originate from the infected device's residential IP address, effectively defeating blocklist-based attribution and detection.
XLab validated this architecture through a controlled honeypot deployment. The test device received a subdomain
brute-force task for the .ba top-level domain at an offset of 11,654,000,000, placing it
approximately 12% into the full length-7 subdomain enumeration space. The remaining scan ranges were distributed
across other nodes in the fleet simultaneously.
Vulnerability Details
| CVE ID | CVSS Score | EPSS Score | Affected Products | Vulnerability Type |
|---|---|---|---|---|
| CVE-2013-3307 | 8.3 (High) | 5.36% | Linksys E-Series Routers | OS Command Injection |
| CVE-2016-5681 | 9.8 (Critical) | 11.93% | D-Link DIR-Series Routers | Stack-Based Buffer Overflow |
| CVE-2025-11837 | 8.1 (High) | 0.77% | QNAP NAS (Malware Remover component) | Code Injection |
Infection Scale and Geographic Distribution
Over 4,300 RTL819X-based routers are confirmed compromised as of the XLab report, with infections continuing to grow. This figure excludes QNAP NAS devices, for which no count has been published. The D-Link DIR-850L accounts for approximately 75% of all infected nodes, consistent with its widespread ISP deployment across South Korea and Southeast Asia during its production period.
By country, South Korea leads at 48.5% of infections, followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%). The DIR-850L and DIR-818LW models were previously flagged in an FBI FLASH advisory regarding the AVrecon botnet confirming that this device population has remained persistently exposed across multiple independent campaigns.
Technical Analysis
C-Based Router Build (RTL819X)
The router build is written in C to accommodate the hardware constraints of RTL819X devices. Its core functions are mass DNS scanning and traffic tunneling. C2 communications are transmitted over HTTP using Protobuf-encoded payloads obfuscated with XOR encryption. Persistence is established via Dropbear SSH installed on non-standard port 2332. The build additionally rewrites local DNS configuration and intercepts all traffic transiting the compromised device, exposing credentials and session data without producing any user-visible performance impact.
Go-Based NAS Build (QNAP)
Released April 26, 2026, the Go-based build targets QNAP NAS devices through CVE-2025-11837 and introduces a significantly expanded reconnaissance toolkit:
- fscan - network port scanning and service fingerprinting
- ksubdomain / httpx - subdomain enumeration and web service discovery
- Tlsx - TLS certificate fingerprinting
- ScriptWork - on-device execution of attacker-supplied Go, Java, or Python source code
ScriptWork is the most operationally significant capability in this build. By accepting source code directly and executing it on the infected device, the operator eliminates the need to compile architecture-specific binaries, effectively transforming the NAS into a general-purpose remote execution platform. C2 traffic in this build is protected by XOR encryption combined with gzip compression. Persistence is maintained via gs-netcat rather than Dropbear SSH.
Threat Context: Operational Relay Box (ORB) Networks
AryStinger's operational model targets end-of-life edge devices compromised through n-day vulnerabilities and assembled into relay infrastructure for pre-intrusion reconnaissance and it is consistent with Operational Relay Box (ORB) networks as documented by Mandiant. These meshes of compromised IoT and edge devices are used primarily by state-linked actors to conduct scanning, proxy C2 traffic, and obfuscate attribution.
Structurally comparable campaigns include LapDogs, which farmed SOHO devices for espionage infrastructure via n-day exploitation, and the 5socks / Anyproxy residential proxy services dismantled by the FBI and DOJ in May 2025, both of which targeted the same Linksys and D-Link hardware families as AryStinger. XLab has not attributed AryStinger to a known threat actor; the investigation remains ongoing.
Indicators of Compromise (IOCs)
C2 and Distribution Domains
- ajb8[.]com
- dataexplore[.]cc
- dataexplore[.]co
Malicious IP Address
- 107.150.106[.]14
Malicious Process Names
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1584.008 | Network Devices | Resource-Development |
| T1046 | Network Service Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial-Access |
| T1071.001 | Web Protocols | Command-And-Control |
| T1090.002 | External Proxy | Command-And-Control |
| T1557 | Adversary-in-the-Middle | Credential-Access |
| T1059 | Command and Scripting Interpreter | Execution |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1583.005 | Botnet | Resource-Development |
Mitigation
- Decommission end-of-life hardware. RTL819X-based routers have not received firmware updates since approximately 2015. CVE-2013-3307 and CVE-2016-5681 will not be patched on these devices. Replacement with actively supported hardware is the only viable remediation.
- Apply the QNAP CVE-2025-11837 patch immediately. A vendor patch has been available since November 2025. AryStinger operationalized this vulnerability within five months of its release. Unpatched QNAP devices with the Malware Remover component exposed should be treated as a critical remediation priority.
-
Audit edge devices for AryStinger indicators. Review network egress logs for connections to
ajb8.com,dataexplore.cc, anddataexplore.co. Inspect accessible router and NAS file systems for unauthorized binaries under/tmp/binand processes namedsyswapd0horsyswapd0w. An SSH listener on port 2332 not provisioned by the administrator is a confirmed infection indicator.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
