When we talk about botnets, we usually mean armies of compromised devices slamming websites with traffic until they collapse. DDoS attacks, crypto mining that's the usual playbook.
AryStinger is different.
A newly discovered malware family is turning forgotten home routers into a distributed reconnaissance and proxy network. Not a wrecking ball. A surveillance system. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand. Each router becomes a footprinting node and a relay that hides where the real attacker is.
The campaign goes after routers built on Realtek's RTL819X chips, hardware that was current around 2012 to 2015. Researchers first saw it on March 12, 2026, spreading from a single IP. The binary it pushed was a Linux ELF that no security engine flagged at the time. It exploited two flaws from another era: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones.
A second strain appeared on April 26, aimed at QNAP NAS boxes through CVE-2025-11837, a code injection flaw in QNAP's Malware Remover. The bug was shown at Pwn2Own Ireland 2025 and patched in November 2025, months before this strain began using it.
By the Numbers: D-Link Dominates
The infected pool is overwhelmingly D-Link. The DIR-850L alone makes up about 75% of the infected routers. DIR-818LW accounts for another 13%.
Geographically, the infections skew heavily to East Asia:
1. South Korea: approximately 48%
2. China: approximately 32%
3. Sweden: approximately 6%
4. Malaysia: approximately 3.5%
5. Singapore: approximately 2.5%
The 4,300 figure covers RTL819X routers only. The NAS infections from the second strain haven't been fully measured, so the actual number could be higher.
Two Builds, Same Job
The AryStinger botnet comes in two variants, adapted to the hardware they target.
Router build (C language): Lightweight and stripped down. Old routers can't run anything heavier. This version handles mass DNS scanning and traffic tunneling. That's it. The operators kept it lean because the hardware can't do more.
NAS build (Go language): Far more capable. This version scans internal and external networks and runs reconnaissance tools like fscan, ksubdomain, and httpx.
A ScriptWork task executes attacker-supplied Go, Java, or Python source code on the box, meaning the operator never has to compile a binary per target.
Each infected node called an Executor communicates with its C2 over HTTP/HTTPS. Traffic is Protobuf-encoded and obfuscated with simple XOR encryption. The Go build adds gzip compression.
Persistence comes from a Dropbear SSH server on port 2332 (routers) or gs-netcat (NAS). The hardcoded key is sh_#@!_2024_secret. The "2024" may point to when the operation began.
Parallel Reconnaissance at Scale
The AryStinger botnet is designed for efficiency. The operator splits a large scan task into chunks and spreads them across the fleet. Each infected router scans a small piece of the internet. The results come back in parallel.
With this distributed design, attackers can complete early footprinting activities quickly mapping exposed services, finding vulnerable targets, building a picture of a network before anyone knows they're there.
Where This Fits in the Threat Landscape
AryStinger's shape is familiar.
In May 2025, the FBI and Justice Department dismantled the 5socks and Anyproxy services, which had turned years-old Linksys and Cisco routers running TheMoon malware into residential proxies sold by the month. AryStinger is the espionage version of that same playbook.
Other researcher groups have tracked operational relay box networks: meshes of compromised end-of-life routers and IoT devices that state actors use to scan and relay traffic while staying hard to trace. Recent router botnets farm devices through n-day bugs the way AryStinger does.
AryStinger hasn't been pinned to any specific actor yet. Attribution is still under investigation. But the model is clear: forgotten hardware, ancient CVEs, turned into quiet infrastructure for the opening moves of an intrusion.
What to Do If You Own Affected Gear
The durable fix is the one everyone keeps repeating: retire end-of-life routers that no longer get firmware. A box that stopped getting patches in 2016 is not going to start now.
If you run any of the affected gear, here's what to check:
1. Look for outbound connections to known malicious domains associated with the campaign
2. Check /tmp/bin for binaries you didn't place there
3. Look for processes named syswapd0h or syswapd0w
For NAS owners: if you have a QNAP device, verify you've applied the patch for CVE-2025-11837. The fix was issued after Pwn2Own Ireland 2025. If you haven't updated, do it now.
The Bottom Line
AryStinger is not a DDoS botnet. It's a reconnaissance network built from hardware that was retired years ago. Every infected router becomes a node that scans the internet, tunnels traffic, and hides the attacker's trail.
The old routers won't get patches. They never will. The only fix is replacement.
Check your hardware. Replace it if it's end-of-life. And if you see syswapd0h or syswapd0w running on your network, assume someone else is already using your router to scout their next victim.
FAQ Section
What is the AryStinger botnet?
AryStinger is a malware family that turns outdated routers into a distributed reconnaissance and proxy network. Infected devices scan the internet, tunnel traffic, and run commands on demand.
How many routers are infected?
At least 4,300 infected routers have been counted. The total is still rising, and this number only covers RTL819X-based routers, not NAS devices.
What routers are affected because of AryStinger, and why are these routers infected?
Mainly D-Link routers that are manufactured with a Realtek RTL819X chipset have been affected the most. Also, 75% of the D-Link DIR-850L router infections are caused by AryStinger.
What is the distribution mechanism for AryStinger?
Outdated vulnerabilities are exploited, specifically CVE-2013-3307 and CVE-2016-5681. Also, AryStinger has a second distribution pathway which targets QNAP NAS devices through the exploitation of CVE-2025-11837.
What should I do if my router has been infected?
If your router has reached its end-of-life and is no longer supported by the manufacturer, you should look for unapproved outbound traffic to suspicious domains, check for any unknown binaries in the /tmp/bin directory, and look for a new process with the names: syswapd0h or syswapd0w.
Has AryStinger been attributed to any well-known hacking groups?
As of now, no attributions have been named, however attribution is in progress.
