Researchers have uncovered a malware family that breaks the usual mold for compromised home routers. Instead of corralling them into a noisy DDoS botnet, AryStinger turns forgotten, end-of-life routers into quiet infrastructure for reconnaissance and proxying — scanning targets, tunneling attacker traffic, and running commands remotely. To date it has infected more than 4,300 devices.

The campaign was first observed by XLab on March 12, 2026, spreading from a single IP address (107.150.106.14). The initial payload was a Linux ELF binary that no engine on VirusTotal flagged — a fully undetected sample — and it spreads by exploiting vulnerabilities old enough to vote: CVE-2013-3307 in certain Linksys models and CVE-2016-5681 in D-Link devices.

Targeting the hardware everyone forgot

AryStinger goes after routers built on Realtek’s RTL819X chipset, silicon that was current roughly between 2012 and 2015. These are devices long past end-of-life, no longer receiving firmware updates, and frequently still humming away in homes and small offices with default configurations. The infected pool is mostly D-Link, with the DIR-850L alone accounting for about 75 percent of compromised devices.

Geographically the infections cluster heavily in South Korea (~48 percent) and China (~32 percent), followed by Sweden, Malaysia, and Singapore. A second strain appeared on April 26, broadening the target set to QNAP NAS appliances through CVE-2025-11837, a code-injection flaw in QNAP’s Malware Remover utility — a pointed irony for a tool meant to clean infections.

Why “recon and proxy” is worse than “DDoS”

The instinct is to see a router botnet and think of bandwidth-for-hire flooding attacks. AryStinger is built for something subtler and arguably more dangerous. By turning compromised routers into scanning nodes and traffic relays, the operators gain:

  • Anonymized reconnaissance. Probes against targets originate from thousands of unremarkable residential IPs, blending into ordinary internet noise and frustrating attribution.
  • Proxy infrastructure. Attacker traffic can be tunneled through hijacked hardware so that downstream intrusions appear to come from a legitimate, geographically plausible connection.
  • Remote command execution. The operators retain hands-on control of each node, making the network a flexible platform rather than a single-purpose weapon.

This is the same strategic logic that nation-state operators have used to hide inside hijacked edge devices — and exactly the threat that prompted Canada’s intelligence service to obtain a first-of-its-kind warrant to clean botnet-infected devices on its own soil. Compromised consumer routers have become a preferred staging layer precisely because nobody is watching them.

The end-of-life device problem

AryStinger is a case study in the most stubborn problem in IoT security: hardware that outlives its support window. The exploited flaws are over a decade old and have long since been patched in supported firmware — but for the RTL819X generation, there is no patch coming and never will be. The device works, so the owner never replaces it, and it sits exposed indefinitely. Every one of these orphaned routers is a permanent, unpatchable foothold waiting to be claimed.

What to do now

  • Retire end-of-life routers. If your router is from the 2012–2015 era — particularly a D-Link DIR-850L or other RTL819X-based model — replace it. There is no patch for these flaws.
  • Check for current firmware on any router still in support, and apply it. Disable remote administration unless you genuinely need it.
  • Reboot and reset suspect devices. Much router malware does not survive a factory reset and reflash; for a device you cannot replace immediately, reset it and lock down remote access.
  • Segment IoT and NAS devices. Keep QNAP and similar appliances off the open internet, and patch QNAP’s Malware Remover against CVE-2025-11837.
  • Watch outbound traffic. Unexpected tunneling or scanning from a home/SOHO router is a strong indicator of compromise.

The lesson of AryStinger is that the most dangerous device on a network is often the one nobody thinks about — quietly working, years out of support, and perfectly positioned to become someone else’s infrastructure.

Sources