Outdated routers repurposed into stealth spy network by AryStinger malware
Security researchers have uncovered a campaign turning thousands of outdated routers into a covert reconnaissance network using AryStinger malware. The operation leverages long-patched vulnerabilities to silently recruit devices into a stealthy infrastructure that supports espionage activities.
A quiet takeover of forgotten hardware
Researchers at QiAnXin’s XLab identified more than 4,300 routers—mostly older D-Link models—compromised by AryStinger. The malware exploits two long-standing flaws, CVE-2013-3307 and CVE-2016-5681, which have been publicly known for over a decade. These weaknesses reside in routers built on Realtek’s RTL819X chipset, hardware that was common between 2012 and 2015 but has not received firmware updates in years. Crucially, the binary used in the campaign evaded detection on VirusTotal, highlighting the stealth nature of the threat.
From infection to intelligence collection
Once installed, AryStinger transforms each compromised router into what XLab calls an “Executor.” These nodes receive scanning tasks—such as port scanning, service identification, and subdomain enumeration—execute them in parallel with other infected devices, and relay the results back to the attacker. A relay layer obscures the operator’s location, making the campaign harder to trace. The infected pool is heavily concentrated in South Korea (48%), China (32%), and several Southeast Asian countries, regions where aging router hardware remains widespread.
Two versions, two levels of sophistication
XLab identified two distinct builds of AryStinger. The first, written in C, targets the RTL819X routers and is stripped down to function on limited hardware. It focuses on mass DNS scanning and traffic tunneling, communicates with its command-and-control server over HTTP using Protobuf-encoded messages obfuscated with XOR encryption, and maintains persistence by installing Dropbear SSH on port 2332. A second, more advanced build in Go emerged in late April and targets NAS devices through a recently patched QNAP vulnerability (CVE-2025-11837), demonstrating rapid exploitation within months of a fix being released. This version integrates multiple reconnaissance tools, including fscan for internal network scanning and ScriptWork, which allows the attacker to execute custom code directly on infected systems.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.