AryStinger Malware Infects 4,300 Legacy Routes to Create an Aware Proxy Network
A new family of malware turns forgotten home routers into a distributed network of surveillance and proxies, not the DDoS botnet these devices often end up entering. QiAnXin’s XLab calls it that. The AryStinger and lists at least 4,300 infected routers, a number it says is still rising.
The difference is important. AryStinger is there for the attack stage that comes before the hack. Infected devices scan the Internet, fingerprint services, count subdomains, tunnel traffic, and execute commands if needed, then send the results back to the operator.
Each router becomes a checkpoint and a relay that hides where the real attacker is.
Old chips, old bugs
The campaign goes after routers built on Realtek’s RTL819X chips, hardware that was around from 2012 to 2015. XLab first noticed it on March 12, 2026, broadcasting from a single IP, 107.150.106.14.
The binary pushing it was a Linux ELF engine that was not flagged by VirusTotal, exploiting two bugs from another era: CVE-2013-3307 for Linksys models and CVE-2016-5681 for D-Link.
The most infected pool is D-Link, with the DIR-850L alone making up about 75 percent. Geographically, it leads to South Korea (about 48 percent) and China (about 32 percent), then Sweden, Malaysia, and Singapore.
The second version appeared on April 26, targeting QNAP NAS boxes with CVE-2025-11837, a code injection flaw in QNAP’s Malware Remover. The bug was shown at Pwn2Own Ireland 2025 and was fixed in November 2025, months before the brand started using it.
How to enter a machine tool to remove malware. XLab doesn’t measure NAS connectivity, so the 4,300 figure includes only RTL819X routers.
Two buildings, same job
One building is depleted, and the other is full. The routing architecture is written in C and kept simple, because older hardware can’t handle more, so we stick to large DNS scans and traffic tunneling. The NAS architecture is written in Go and does a lot more. It scans internal and external networks and uses recon tools such as fscan, ksubdomain, and httpx. The “ScriptWork” function uses Go, Java, or Python source code provided to the attacker in the box, so the operator never compiles the binary for each target.
Each infected node, which XLab calls an Executor, talks to its C2 over HTTP/HTTPS, with simple XOR-encoded Protobuf-encoded traffic (the Go build adds gzip). The user divides the large scan into pieces and spreads them throughout the ship, stepping in parallel.
XLab says that similar DNS scans can be directed at resolvers to generate denial-of-service traffic. Persistence is from the Dropbear SSH server on a fixed port, 2332 on routers, or gs-netcat on the NAS. The hard-coded key, sh_#@!_2024_secret, contains “2024” which may point to the beginning of 2024, although XLab cannot confirm it.
That’s where this comes in
The shape is normal. In May 2025, the FBI and the Department of Justice took down 5 Socks and Anyproxy services, which had turned Linksys and Cisco routers running TheMoon malware into live proxies sold per month. The espionage version looks very similar.
Mandiant tracked active relay box networks, or ORBs: the meshes of vulnerable end-of-life routers and IoT that regional players use to scan and relay while remaining hard to track. The latest ORB routers are like LapDogs farm devices by using n-day bugs the way AryStinger does.
AryStinger hasn’t been pinned on anyone yet, and XLab says it’s still working out who’s behind it. What is clear is the model: forgotten hardware, ancient CVEs, turned into a silent infrastructure to open the movement of intrusion.
What to do
If you use any affected gear, testing is easy. Check the outgoing connections to AryStinger’s C2 and download domains (ajb8.com and related hosts on XLab’s IOC list), check /tmp/bin for binaries you didn’t put there, and check for processes named syswapd0h or syswapd0w.
The long-lasting fix is the one everyone keeps repeating: end-of-life routers that don’t get firmware anymore, and disable remote control for anything exposed. The box that stopped receiving patches in 2016 will not start now.
