AryStinger Botnet Hijacks Over 4,300 Routers for Global Attack Proxy Network

Key Takeaways

• The AryStinger botnet has compromised over 4,300 internet routers and NAS devices globally.
• It exploits severe, long-standing vulnerabilities in Linksys, D-Link, and NAS products, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837.
• AryStinger primarily functions as a stealthy proxy network for reconnaissance and further attacks, rather than typical DDoS or crypto-mining operations.
• The D-Link DIR-850L router is disproportionately affected, with South Korea and China experiencing the highest number of infections.
• Immediate action is required from users, including replacing or disconnecting obsolete hardware and actively monitoring for specific malicious processes and network traffic.

A newly identified botnet, dubbed AryStinger, has silently infiltrated over 4,300 routers and network-attached storage (NAS) devices worldwide, transforming them into a sophisticated, distributed network of attack proxies. This campaign is particularly alarming due to its reliance on unpatched, decade-old vulnerabilities and its advanced capabilities for evading detection.

Discovery and Operational Tactics

The AryStinger operation came to light on March 12, 2026, when a threat monitoring system detected the IP address 107.150.106.14 distributing malware. Attackers are leveraging well-known vulnerabilities, specifically CVE-2013-3307 and CVE-2016-5681, which impact older Linksys and D-Link router models. The malware initially exhibited zero detections across major security platforms, highlighting its stealth and evasion techniques.

Researchers at Qianxin XLab conducted a thorough analysis of this novel threat, detailed in a recent report. Their investigation revealed that AryStinger primarily targets routers equipped with RTL819X series chips, commonly found in devices manufactured between 2012 and 2015. A subsequent variant, observed on April 26, was found to compromise NAS devices by exploiting CVE-2025-11837. The botnet was named AryStinger based on unique internal source code paths and its distinctive operational characteristics.

Unlike many botnets that focus on disruptive activities such as Distributed Denial of Service (DDoS) attacks or cryptocurrency mining, AryStinger is designed for covert information gathering and as a platform for more complex cyber intrusions. Once compromised, a device becomes a “ghost node,” effectively masking the attackers’ true location while they conduct reconnaissance on other networks. The presence of a hardcoded encryption key, “sh_#@!_2024_secret,” suggests the campaign may have been active since at least 2024. The full scope of the botnet remains partially unknown, as current infection figures only account for RTL819X routers, with NAS device compromises yet to be fully quantified.

AryStinger’s Architecture and Global Footprint

Upon successful infection, AryStinger registers the compromised device with its command-and-control (C2) server. This registration process involves transmitting encrypted device fingerprint data, including MAC address, IP addresses, operating system version, and CPU architecture. The C2 server then assigns a unique Executor ID to each compromised device, integrating it as a managed node within the botnet.

Each infected node, or “Executor,” is assigned a specific segment of a broader scanning operation. This distributed methodology enables the attackers to perform rapid and extensive internet-wide reconnaissance while maintaining a high degree of anonymity. The botnet supports advanced functionalities such as port scanning, service identification, subdomain enumeration, and traffic tunneling, all designed to obscure the attackers’ activities.

Geographically, the D-Link DIR-850L router accounts for approximately 75% of all known AryStinger infections. South Korea is the most heavily affected country, with 48.45% of compromises, followed by China at 31.82%, Sweden at 6.40%, Malaysia at 3.50%, and Singapore at 2.50%.

Two Distinct Versions, Varied Capabilities

AryStinger operates in two primary versions, which share fundamental logic but are optimized for different target environments:

• RTL819X Version: This variant, written in C, is lightweight and specifically designed for older routers. Its core functionalities are limited to DNS scanning and tunneling.
• Standard Version: Developed in Go, this more robust version targets NAS devices and offers an expanded feature set. It includes intranet scanning, script execution, and the capability to deploy payloads written in Go, Java, or Python.

The Standard version’s “ScriptWork” feature provides exceptional flexibility, allowing attackers to transmit raw code directly to compromised devices, thereby eliminating the need for platform-specific binaries. Both versions ensure persistent access through backdoors, either via a lightweight SSH server known as dropbear or through gs-netcat, granting long-term remote control to the threat actors.

What You Should Do

• Monitor Network Traffic: Actively check your network for any communication with the Indicators of Compromise (IoCs) domains and IP addresses listed below.
• Inspect Device Directories: Examine the /tmp/bin directory on your network devices for any unfamiliar or suspicious files.
• Verify Running Processes: Look for active processes named syswapd0h or syswapd0w, which are direct indicators of an AryStinger infection.
• Replace or Disconnect Outdated Hardware: Immediately replace or take offline any router or NAS device that has not received firmware updates for several years, as these are primary targets for such campaigns.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.