Most organisations have at least one piece of networking equipment that has quietly outlived its supported life. A router in a branch office. A NAS device in a back room. Hardware that still works in the functional sense, still passes traffic, still shows up on the network diagram, but hasn't received a security update in years. AryStinger is a reminder of what happens to that equipment when attackers notice it.
Researchers at Qianxin's XLab threat intelligence team published their analysis of AryStinger this week, describing a botnet that has compromised over 4,300 routers worldwide by exploiting vulnerabilities that are, in one case, more than a decade old. The infected devices have been quietly repurposed as a distributed reconnaissance and proxy network, used to hide the attacker's real location while scanning for new targets. The count of 4,300 is still rising, and it covers only the router-targeting variant; a second variant aimed at NAS devices has not yet been measured.
This is not a story about a sophisticated zero-day or an advanced persistent threat. It is a story about what attackers do when hardware is simply left online without support: they own it, quietly, and put it to work.
What AryStinger is, and why it is different from most botnets
Most botnets are built for volume. They flood targets with traffic, mine cryptocurrency, or send spam. AryStinger has a different purpose entirely: it is built for the preparatory stage of an intrusion, the reconnaissance and infrastructure phase that precedes the actual break-in.
Each infected device scans the internet, fingerprints services, enumerates subdomains, and tunnels traffic, shipping results back to the operator. Each router becomes a footprinting node and a relay that hides where the real attacker is.
The practical implication is that AryStinger is not designed to harm its victims directly. The owners of compromised routers are not the end target. Their hardware is the tool. Their internet connection, their IP address, and their router's position between the internet and their network are what the attacker wants. That makes the threat harder to notice and, in some ways, harder to explain to a non-technical audience, which is exactly why we want to address it clearly here.
If your router is part of AryStinger, your IP address may be appearing in scan logs across the internet. You may be contributing to reconnaissance campaigns against banks, hospitals, government agencies, or other businesses. Your network may be used as a launch point for the early stages of attacks against entirely unrelated third parties. And because the malware is designed to run quietly and persistently, none of this is likely to be visible to you.
The hardware it targets, and why
AryStinger targets routers built on Realtek's RTL819X chips, hardware that was current around 2012 to 2015. The campaign was first detected spreading from a single IP on March 12, 2026, and the binary it distributed exploited two flaws from another era: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones.
CVE-2013-3307 is thirteen years old. CVE-2016-5681 is ten years old. Both have been publicly known and documented for the entire decade during which these devices have remained in service. The reason they are still exploitable today is straightforward: by targeting routers that are no longer supported by the vendor, the attackers gain access to devices that will never receive security patches but remain connected to the internet.
The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent of confirmed infections. By geography, infections skew toward South Korea at around 48 percent and China at around 32 percent, with Sweden, Malaysia, and Singapore making up much of the remainder.
A second strain, discovered on April 26, targets QNAP NAS devices through CVE-2025-11837, a code injection flaw in QNAP's Malware Remover that was publicly disclosed and patched in November 2025. That the attackers moved to a more recent vulnerability for the NAS variant reflects an opportunistic, adaptive approach: they use whatever works, and what works is consistently gear that isn't being updated.
What happens to a compromised device
Once infected, each device is registered with a command-and-control server and assigned a unique identifier, turning it into a managed node in the botnet. The botnet's controller splits large reconnaissance tasks into many smaller ones and distributes them across these nodes, effectively turning a fleet of consumer routers into a large-scale scanning platform.
The malware comes in two variants with different capabilities suited to the hardware they run on. The router variant, written in C, is kept lean because the old RTL819X hardware has limited resources; it focuses on mass DNS scanning and traffic tunneling. The NAS variant is written in Go and does considerably more: it scans internal and external networks and runs recon tools. A "ScriptWork" task executes attacker-supplied Go, Java, or Python source code on the box, so the operator never has to compile a binary per target.
Both variants establish persistent backdoors for long-term access, and both communicate with their command-and-control infrastructure over encrypted channels.
There is one additional capability that deserves particular attention for any organisation concerned about what a compromised router could mean for their network. AryStinger can tamper with DNS settings, allowing attackers to redirect victims' browser traffic to phishing pages or malware-hosting sites, and to silently monitor and potentially steal all inbound and outbound network traffic passing through the router or NAS. In a home or small office environment, this means that every device on the network, phones, laptops, tablets, printers, anything that connects through the compromised router, is potentially exposed to traffic interception and redirection, without any of those devices being directly infected.
The old equipment problem
AryStinger fits a pattern that the security community has been tracking for several years. In May 2025, the FBI and Justice Department tore down the 5socks and Anyproxy services, which had turned years-old Linksys and Cisco routers running TheMoon malware into residential proxies sold by the month. Mandiant has tracked operational relay box networks built from meshes of compromised end-of-life routers and IoT devices that state actors use to scan and relay while staying hard to trace.
The pattern is consistent because the opportunity is consistent. End-of-life networking equipment is not a niche problem. It is pervasive. Many organisations replace workstations and servers on a defined refresh cycle but have no equivalent policy for networking hardware. Routers and switches are replaced when they fail, not when they stop receiving security updates. The result is that networking infrastructure that was current in 2012 or 2015 frequently remains in production today, connected to the internet, with known unpatched vulnerabilities and no prospect of a fix.
This is the environment AryStinger was designed to exploit. The attackers are not doing anything clever. They are running known exploits against known-vulnerable hardware and finding thousands of devices that are still reachable and still vulnerable. The sophistication is in the malware's reconnaissance architecture, not in the exploitation itself.
For leadership and decision-makers, this is the core message: old networking equipment is not a low-priority IT housekeeping issue. It is an active attack surface. A router that stopped receiving security updates in 2016 has not become less capable of connecting to the internet. It has become significantly more dangerous while remaining equally connected.
Who is behind AryStinger?
AryStinger has not been attributed to any known threat actor. Researchers say many mysteries surrounding the campaign remain unsolved. A hardcoded string within the malware reading "sh_#@!_2024_secret" carries a "2024" timestamp that may indicate the campaign has been running longer than its March 2026 discovery date suggests, but this has not been confirmed.
What is clear is that the infrastructure is sophisticated enough to be actively maintained and expanded. The existence of multiple malware versions, version numbering that extends into the dozens of builds, and the addition of a NAS-targeting variant in April all suggest an ongoing operation with active development.
What to do
The recommended actions split cleanly between immediate checks and longer-term remediation.
Determine whether you have affected hardware
The devices primarily targeted by AryStinger are D-Link DIR-850L and DIR-818LW routers running on Realtek RTL819X chips, manufactured roughly between 2012 and 2015. If you operate these specific models, treat them as compromised until confirmed otherwise. More broadly, any router or NAS device that is no longer receiving firmware updates from its manufacturer should be treated as untrusted infrastructure.
Check your networking hardware inventory against manufacturer end-of-life lists. D-Link publishes end-of-life notices on its support site. If a device appears on that list and is still in service, it is potentially vulnerable to this and any number of other campaigns exploiting the same hardware.
Check for indicators of compromise
For devices you suspect may be affected, look for outbound connections to AryStinger's known command-and-control and download domains, check /tmp/bin for binaries you didn't put there, and look for processes named syswapd0h or syswapd0w. The full list of indicators of compromise, including IP addresses, domains, and file hashes, has been published by XLab in their technical report and should be loaded into your SIEM or threat intelligence platform.
Apply what mitigations are available on affected hardware
If replacement is not immediately possible, apply the latest available firmware for your device (even if it is old), change the default administrator password to a unique strong passphrase, and disable remote management from the internet. If your router supports it, turn off unused services such as UPnP on the WAN side.
Be clear-eyed about what these steps achieve, though. They reduce the attack surface on a device that can no longer be secured. They are not a substitute for replacement.
Replace end-of-life devices
This is the only complete remediation available. Even if you apply all available hardening recommendations, an end-of-life router should be considered untrusted. Make plans to replace it as soon as you can.
For organisations with a significant number of legacy devices, a structured inventory and replacement programme is the appropriate response. Prioritise devices with internet-facing management interfaces and those handling sensitive network segments.
Review your asset inventory policy
AryStinger is an opportunity to revisit how your organisation tracks and manages the lifecycle of networking hardware. If your current policies do not include a defined end-of-support date at which networking equipment is scheduled for replacement, that gap is worth addressing. Vendor end-of-support dates are public information and can be incorporated into procurement and asset management processes.
Detection
Detecting AryStinger on an infected device is possible but requires access to the device itself or visibility into its traffic.
At the device level, look for the process names syswapd0h and syswapd0w in the process list, and inspect /tmp/bin for unrecognised executables. Persistence is maintained through a Dropbear SSH server on port 2332 (for the router variant), so an unexpected listening service on that port is a strong indicator.
At the network level, outbound connections to the known AryStinger command-and-control domains and downloader infrastructure should be detectable through DNS query logs or firewall egress monitoring. The full list of IOC domains and IPs is available in XLab's public report. Add these to your blocklists and alerting rules as a first step.
If your organisation has devices that may have been infected prior to detection, also consider that DNS settings on affected routers may have been modified. Verify that your router's configured DNS resolvers match what your ISP or IT team has set, and consider flushing DNS caches on downstream devices.
Summary
| Malware | AryStinger |
| Type | Botnet / Reconnaissance proxy network |
| Discovered | March 12, 2026 (XLab / Qianxin) |
| Confirmed infections | 4,300+ routers (NAS infections not yet quantified) |
| Primary targets | D-Link DIR-850L, DIR-818LW (Realtek RTL819X hardware) |
| Secondary targets | QNAP NAS devices |
| Exploits used | CVE-2013-3307 (Linksys), CVE-2016-5681 (D-Link), CVE-2025-11837 (QNAP) |
| Purpose | Distributed reconnaissance, traffic proxying and tunneling, DNS manipulation |
| Attribution | Unknown; under investigation |
| Geographic concentration | South Korea (~48%), China (~32%), Sweden, Malaysia, Singapore |
| Immediate mitigation | Apply latest available firmware; disable remote WAN management; change default credentials |
| Full remediation | Replace end-of-life hardware |
| IOCs | Published by XLab; add to SIEM and blocklists |
The oldest vulnerability AryStinger exploits is thirteen years old. The hardware it targets has been out of support for the better part of a decade. None of that stopped it from building a botnet of over 4,300 devices, and none of it will slow down the campaigns that will inevitably follow using the same approach.
The router in the branch office that nobody has touched in eight years is not a low-risk leftover. It is an open door. AryStinger is simply the latest attacker to walk through it.
If you need help auditing your networking hardware inventory for end-of-life devices, assessing your exposure to AryStinger or similar campaigns, or building a replacement programme for legacy infrastructure, get in touch. This is exactly the kind of structural risk that tends to stay invisible until something goes wrong.