AryStinger, a newly discovered malware family, has compromised more than 4,300 legacy routers to create a distributed reconnaissance and proxy network, according to researchers at QiAnXin XLab. Unlike traditional botnets that focus on launching DDoS attacks, AryStinger is designed to support the early stages of cyber intrusions by scanning the internet, fingerprinting services, enumerating subdomains, and relaying attacker traffic through compromised devices.
The campaign primarily targets aging routers built on Realtek RTL819X chipsets, exploiting years-old vulnerabilities in vulnerable D-Link and Linksys devices that have long since reached end-of-life. Researchers observed the malware spreading in March 2026, with most infections concentrated in South Korea and China. The heavily affected D-Link DIR-850L model accounts for roughly three-quarters of all known infections.
A more advanced variant has also emerged targeting QNAP NAS devices through a recently patched code injection vulnerability. While the lightweight router version focuses on DNS scanning and traffic tunneling, the NAS variant can perform broader network reconnaissance and execute attacker-supplied Go, Java, or Python code directly on infected systems. This allows operators to rapidly deploy custom reconnaissance tasks without creating dedicated malware samples for each target.
Researchers say AryStinger reflects a growing trend of threat actors repurposing abandoned networking hardware into stealthy operational infrastructure. By leveraging forgotten devices and unpatched vulnerabilities, attackers can obscure their true origin while conducting large-scale reconnaissance activities that often precede data theft, espionage, or other network intrusions. Organizations and consumers still relying on unsupported routers are urged to replace them and disable unnecessary remote administration features.
