Researchers from QiAnXin XLab report on a new malware family, AryStinger, which infects legacy home routers based on Realtek RTL819X chips and QNAP NAS devices, turning them not into a typical DDoS botnet, but into a distributed infrastructure for reconnaissance and traffic proxying. According to the researchers, at least 4,300 routers have been compromised, and the number continues to grow. Owners of D-Link DIR-850L devices, Linksys routers based on RTL819X, and QNAP NAS with the Malware Remover utility should immediately check their equipment for indicators of compromise and consider decommissioning devices that no longer receive security updates.
Functional purpose and architecture
AryStinger is fundamentally different from most IoT botnets. Infected devices do not generate junk traffic for denial-of-service attacks — they perform tasks characteristic of the initial phase of a targeted attack: scanning the internet, service fingerprinting, subdomain enumeration, traffic tunneling, and arbitrary command execution. The results are sent to the operator, and each infected router simultaneously serves as a relay node, hiding the attacker’s real location.
According to XLab, there are two variants of the malware adapted to different equipment:
- Router variant — written in C, lightweight for operation on low-end hardware. Limited to large-scale DNS scanning and traffic tunneling.
- NAS variant — written in Go with extended functionality. Scans both internal and external networks, using the tools fscan, ksubdomain and httpx. The ScriptWork module allows execution of arbitrary Go, Java or Python code supplied by the operator, without having to compile a binary for each target.
Communication with the command-and-control server is carried out over HTTP/HTTPS using Protobuf encoding and XOR obfuscation (the Go variant additionally uses gzip). The operator splits large-scale scanning tasks into fragments and distributes them across infected nodes, enabling parallel reconnaissance.
Exploited vulnerabilities and infection vector
To compromise routers, AryStinger exploits two long-known vulnerabilities:
- CVE-2013-3307 — a vulnerability in Linksys routers dating back to 2013.
- CVE-2016-5681 — a vulnerability in D-Link routers discovered in 2016.
According to the report, XLab first observed AryStinger activity on March 12, 2026 — the malware was spreading from a single IP address, 107.150.106.14. The downloaded binary was a Linux ELF file that, at the time of discovery, was not detected by any engine on VirusTotal.
On April 26, a second variant appeared, targeting QNAP NAS devices via CVE-2025-11837 — a code injection vulnerability in the QNAP Malware Remover utility. The irony is that the infection vector is the vendor’s own anti-malware tool. The vulnerability was demonstrated at Pwn2Own Ireland 2025 and patched by QNAP in November 2025 — several months before it began to be exploited in this campaign. XLab did not estimate the number of infected NAS devices, so the figure of 4,300 refers exclusively to routers.
Scale and geography of infection
According to the researchers, the overwhelming majority of infected devices are D-Link routers, with the D-Link DIR-850L model accounting for about 75% of all compromised nodes. The geographical distribution is uneven: approximately 48% fall on South Korea and around 32% on China, followed by Sweden, Malaysia and Singapore.
Persistence mechanisms differ by platform: on routers, a Dropbear SSH server is installed on port 2332; on NAS devices, gs-netcat is used. A hard-coded key, sh_#@!_2024_secret, was found in the code.
Threat context: operational relay networks
The AryStinger model fits into a broader trend documented by Mandiant in the context of so-called Operational Relay Box (ORB) networks — mesh infrastructures of compromised legacy routers and IoT devices used by state-sponsored actors for scanning and traffic relaying to complicate attribution. Networks such as LapDogs, described by Mandiant, compromise devices by exploiting known but unpatched vulnerabilities — the same approach used by AryStinger.
In May 2025, the FBI and the U.S. Department of Justice dismantled the 5socks and Anyproxy services, which turned legacy Linksys and Cisco routers infected with TheMoon malware into residential proxies sold by subscription. AryStinger apparently implements the same concept, but in the context of reconnaissance operations.
Attribution of AryStinger has not yet been established — XLab reports that work to identify the operators is ongoing.
Impact assessment
The highest risk is to organizations and home users operating legacy networking equipment on Realtek RTL819X chips released between 2012 and 2015, as well as QNAP NAS devices with an unpatched Malware Remover utility. The concentration of infections in South Korea and China may point both to the prevalence of vulnerable equipment in these regions and to a deliberate choice of geography.
The key risk is not direct damage to the owner of the infected device, but the fact that their equipment becomes part of the infrastructure for attacks on third parties. This creates legal and reputational risks: the IP address of a compromised device may end up on blocklists or appear in incident investigations.
Practical recommendations
To check for compromise:
- Check for outbound connections to the ajb8.com domain and related hosts from the XLab indicators list.
- Inspect the
/tmp/bindirectory for unknown binary files. - Look for processes named syswapd0h or syswapd0w.
- Check for an open port 2332 (Dropbear SSH) on routers.
To remediate the threat:
- Routers based on Realtek RTL819X that no longer receive firmware updates should be decommissioned and replaced with supported models.
- On QNAP NAS devices, update Malware Remover to a version that fixes CVE-2025-11837.
- Disable remote administration on all devices accessible from the internet.
- Block network perimeter connections to IP 107.150.106.14 and the ajb8.com domain.
A device that last received a security patch in 2016 cannot be protected by any configuration — the only reliable measure for RTL819X-based routers without vendor support is physical replacement. For QNAP NAS devices, it is critical to apply the Malware Remover update released in November 2025 if this has not yet been done: it is precisely the unpatched vulnerability in the security tool that is being used as the entry point.
