A new malware family called AryStinger has infected at least 4,300 legacy home routers and turned them into a distributed reconnaissance and proxy network, according to a technical analysis from QiAnXin XLab. The activity was first observed on March 12, 2026 and is still growing.
KEY FACTS
- Scope At least 4,300 infected routers have been counted so far.
- Target hardware The campaign focuses on Realtek RTL819X based routers from the 2012 to 2015 era.
- Function Infected devices scan, fingerprint, enumerate subdomains, tunnel traffic and run commands on demand.
- Initial access The router build exploits CVE-2013-3307 in Linksys devices and CVE-2016-5681 in D-Link devices.
The router infections are mostly D-Link devices, with the DIR-850L model accounting for about 75 percent of the pool. The report says the compromised devices are concentrated in South Korea and China, with smaller numbers in Sweden, Malaysia and Singapore.
A second malware strain appeared on April 26 and targets QNAP NAS systems through CVE-2025-11837, a code injection flaw in QNAP’s Malware Remover advisory. XLab said the NAS infections were not measured, so the 4,300 count covers routers only.
The router version is written in C and stays lightweight for older hardware, while the NAS version is written in Go and adds wider reconnaissance tools. The report says each infected node communicates with command and control servers over HTTP or HTTPS, with Protobuf-encoded traffic obscured by XOR and gzip in the Go build.
Persistence is maintained through a Dropbear SSH server on a fixed port in routers, or gs-netcat on NAS devices. The report also says the same DNS scanning can be used against resolvers to generate denial-of-service traffic.
WHY IT MATTERS
The campaign shows how outdated consumer and small office hardware can be repurposed into infrastructure for stealthy reconnaissance and proxying rather than obvious disruption. The practical defense is to retire end-of-life devices, remove exposed remote administration and watch for the indicators listed in the report.