Researchers at QiAnXin's XLab have uncovered a novel malware family they've named AryStinger, first observed on March 12, 2026. Unlike the DDoS botnets that typically colonize forgotten home routers, AryStinger's purpose is more surgical — it turns compromised devices into a distributed reconnaissance and proxy network, helping attackers obscure their origin during the pre-breach phases of targeted intrusions.
How It Spreads
The campaign appears to originate from IP address 107.150.106.14 and has compromised at least 4,300 devices. The primary targets are end-of-life hardware running legacy Realtek RTL819X chipsets manufactured between 2012 and 2015:
- ~75% D-Link DIR-850L routers
- ~25% QNAP NAS devices
Geographically, South Korea accounts for ~48% of infections and China ~32%, suggesting either opportunistic scanning of those regions or deliberate targeting.
Exploited Vulnerabilities
AryStinger exploits three CVEs to gain initial access:
| CVE | Affected Device | Notes |
|---|---|---|
| CVE-2013-3307 | Linksys routers | Over a decade old |
| CVE-2016-5681 | D-Link devices | 9+ year old flaw |
| CVE-2025-11837 | QNAP Malware Remover | Recent, patched 2025 |
The reliance on CVEs from 2013 and 2016 reflects a hard truth: millions of consumer routers and NAS devices are still running firmware that hasn't been updated in years — and often can't be, because vendors have discontinued support.
Two Distinct Builds
XLab identified two separate variants of AryStinger with different capabilities:
C-Based Router Variant
- Performs DNS mass scanning across large IP ranges
- Tunnels HTTP/HTTPS traffic through compromised devices
- Uses Protobuf-encoded, XOR-obfuscated communications to evade detection
Go-Based NAS Variant
- Conducts internal and external network reconnaissance using
fscanandhttpx - Includes a "ScriptWork" module allowing operators to remotely execute arbitrary Go, Java, or Python code
- Capable of subdomain enumeration to map target infrastructure before an attack
What Makes AryStinger Different
Most router-based malware is used for DDoS attack infrastructure. AryStinger stands apart by functioning as a covert intelligence-gathering layer — the compromised devices become staging posts for scanning and fingerprinting target networks. By routing reconnaissance traffic through residential and small-office devices, attackers can evade IP-based threat intelligence blocklists and make their activity appear to originate from legitimate end-user connections.
Indicators of Compromise
- C2 domains:
ajb8.comand related hosts (check your DNS logs) - Suspicious binaries: Look for unauthorized files in
/tmp/binon affected devices - Unusual outbound traffic: Large volumes of DNS queries or HTTP tunnel traffic from routers
Recommended Mitigations
- Replace end-of-life hardware — D-Link DIR-850L and QNAP devices running RTL819X chipsets should be decommissioned. No firmware patch will be provided for most of these devices.
- Disable remote administration on any router that doesn't require it, especially on the WAN interface.
- Audit your network for unauthorized binaries and unusual outbound connections.
- Block C2 infrastructure by adding known AryStinger domains to your DNS blocklist.
- Apply available patches — CVE-2025-11837 has a patch available for supported QNAP devices.
The AryStinger campaign is a reminder that "unused" or "quiet" devices on your network are not neutral — they're an attack surface waiting to be exploited.