Security researchers have discovered a newly identified malware family called AryStinger that is quietly infecting outdated internet routers around the world. According to researchers from QiAnXin XLab, more than 4,300 devices have already been compromised, and the number continues to grow. Unlike many router-based botnets that focus on launching DDoS attacks, AryStinger is designed to help attackers collect information and prepare for future cyber intrusions.
The malware mainly targets older routers powered by Realtek RTL819X chipsets, which were commonly used in devices manufactured between 2012 and 2015. Researchers first detected the campaign in March 2026 and found that it was exploiting long-known security vulnerabilities in legacy Linksys and D-Link routers. Because many of these devices no longer receive security updates, they remain easy targets for attackers.
Once a router is infected, it becomes part of a distributed network controlled by the attackers. These compromised devices are used to scan the internet, identify exposed services, discover subdomains, and collect technical information about potential targets. The gathered data is then sent back to the operators, helping them map networks and identify weaknesses before launching larger attacks.
Researchers say AryStinger effectively turns every infected router into a proxy and reconnaissance node. This allows attackers to route their activity through compromised devices, making it much harder to trace operations back to the real source. By hiding behind thousands of infected routers, threat actors can conduct large-scale reconnaissance while remaining anonymous.
The majority of infected devices are believed to be D-Link routers, with the DIR-850L model accounting for a significant portion of infections. Telemetry data shows that South Korea and China currently host most of the compromised devices, followed by countries such as Sweden, Malaysia, and Singapore. Researchers noted that the malware’s footprint continues to expand as more vulnerable devices are discovered online.
A second variant of AryStinger has also been identified targeting QNAP NAS devices. This version is more advanced and includes additional capabilities such as network scanning, command execution, and reconnaissance inside local environments. Researchers found that it can execute attacker-supplied code written in languages including Go, Java, and Python, giving operators greater flexibility during operations.
Communication between infected devices and command-and-control servers takes place over HTTP and HTTPS channels. The malware distributes tasks across multiple compromised systems, allowing attackers to perform large-scale scanning operations in parallel. Security experts also warned that the infrastructure could potentially be used for DNS-based abuse or other malicious activities, although no such attacks have been observed so far.
Researchers have not yet attributed AryStinger to any known threat group, and investigations are still ongoing. However, the campaign highlights the growing risks posed by unsupported networking equipment. Security experts recommend replacing end-of-life routers, disabling unnecessary remote administration features, monitoring for unusual network activity, and applying the latest available firmware updates wherever possible.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
