BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

AryStinger Botnet Hijacks Old Routers for Spying

AryStinger Malware Hijacks Old Routers for Stealthy Reconnaissance Network

  • A new malware called AryStinger has infected at least 4,300 older home routers, according to research from QiAnXin’s XLab.
  • Instead of creating a typical DDoS botnet, it turns compromised devices into a distributed reconnaissance and proxy network for attackers.
  • The campaign primarily targets routers with Realtek’s RTL819X chips, exploiting old vulnerabilities like CVE-2013-3307 and CVE-2016-5681.
  • A separate strain also targets QNAP NAS devices through a patched flaw, CVE-2025-11837.

A new malware family dubbed AryStinger is hijacking thousands of old home routers, according to a report from QiAnXin’s XLab published on June 22, 2026. This campaign repurposes forgotten devices into a stealthy network for scanning and traffic tunneling, marking a shift from typical DDoS-focused botnets. The operation leverages decade-old hardware vulnerabilities to establish its foothold.

- Advertisement -

Consequently, infected routers become footprinting nodes that conceal the attacker’s true origin. They perform mass DNS scanning, fingerprint services, and relay commands on demand. XLab first observed the malware spreading from a single IP address on March 12, 2026.

The infected pool is dominated by D-Link routers, with the DIR-850L model comprising about 75 percent. Geographically, most infections are located in South Korea and China. Meanwhile, a second strain targeting QNAP NAS boxes appeared in late April.

This strain exploits CVE-2025-11837, a code injection flaw patched months prior. The malware’s architecture includes two distinct builds tailored for different hardware capabilities. A lighter C version runs on resource-constrained routers, while a more robust Go version operates on compromised NAS devices.

The Go build can execute attacker-supplied source code directly on the infected system. Persistence is achieved through a backdoored SSH server with a hardcoded key. This operational model resembles other documented proxy networks used for espionage.

- Advertisement -

Mandiant has previously tracked similar operational relay box networks, or ORBs, used by state actors. The ultimate fix remains retiring end-of-life hardware that no longer receives security updates. Users should also disable remote administration on any exposed network devices.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

Must Read

Sushiswap vs Uniswap, What are the differences between these dex?

It's no secret that the world of decentralized exchanges has exploded in recent years. Many of you are probably wondering what the difference is...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading