AryStinger
AryStinger is a previously undocumented botnet malware family identified by QiAnXin XLab that compromises aging internet-facing edge devices, primarily end-of-life routers and some NAS appliances, and repurposes them as a distributed reconnaissance, proxy, and intrusion-support infrastructure. XLab reported at least 4,300 infected routers worldwide, with infections concentrated in South Korea and China, and with D-Link DIR-850L and DIR-818LW models on Realtek RTL819X chipsets prominently affected. The campaign was first observed on March 12, 2026, with activity spreading from 107.150.106.14 using a Linux ELF sample that reportedly had zero VirusTotal detections at the time.
AryStinger primarily exploits long-known vulnerabilities in obsolete or unsupported devices rather than novel exploit chains. Reported infection vectors include CVE-2013-3307 and CVE-2016-5681 against older Linksys and D-Link routers, and a later observed Go-based variant targeting QNAP NAS devices via CVE-2025-11837 in QNAP Malware Remover. Researchers described two variants: a C-based router-focused build optimized for low-resource RTL819X devices, and a more capable Go-based NAS-focused build.
Its functionality is oriented toward pre-intrusion operations rather than classic DDoS or cryptomining botnet activity. Reported capabilities include port scanning, service identification, subdomain enumeration, DNS scanning, traffic tunneling and proxying, remote command execution, and distributed task execution across infected nodes. The NAS variant was reported to support broader reconnaissance and payload execution, including shell commands and attacker-supplied Go, Java, and Python code, and to integrate tools such as fscan, ksubdomain, httpx, and Tlsx. XLab described infected devices as remotely controlled "Executors" that receive tasks from command-and-control infrastructure and return results, while also helping operators conceal their true origin behind victim network connections.
AryStinger communicates with command-and-control servers over HTTP and HTTPS using Protocol Buffers with XOR obfuscation; some reporting also notes gzip in the NAS variant. A hardcoded XOR key, "sh_#@!_2024_secret," was reported. Persistence mechanisms observed include installation of an SSH backdoor using Dropbear on routers, operation on port 2332, use of gs-netcat on NAS devices, and modification of device configuration for long-term control. Reported indicators and artifacts include domains such as ajb8.com, dataexplore.cc, dataexplore.co, specific C2 hosts including eixfi[.]ajb8.com and dybic[.]ajb8.com, downloader activity from hgodpcx[.]ajb8.com and hgodpcx[.]auq8.com, binaries or files under /tmp/bin, and processes named syswapd0, syswapd0h, or syswapd0w.
XLab has not attributed AryStinger to a known threat actor. Multiple reports note that its operational pattern resembles operational relay box or router-proxy infrastructures used to support follow-on intrusion activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities, CVE-2013-3307 and CVE-2016-5681.
The team later captured a related sample on April 26 targeting NAS devices, spread through CVE-2025-11837.
The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities, CVE-2013-3307 and CVE-2016-5681.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
4 techniques
Reconnaissance
Infected routers can scan the internet for targets, identify exposed services or entry points, enumerate subdomains and tunnel through traffic, executing operator commands.
The botnet supports port scanning, service identification, subdomain enumeration, and traffic tunneling...
Each infected router becomes what XLab calls an Executor: a node that receives scan tasks, executes them in parallel with other nodes... The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution.
Initial Access
3 techniques
Initial Access
Default logins invite trouble - switching them strengthens access control.
The malware then installs a SSH backdoor, modifying configurations to maintain long-term control.
XLab researchers starting March 12 saw the botnet spread from a single IP, 107.150.106.14, pushing a VirusTotal zero detection Linux ELF sample through two, near decade old vulnerabilities: CVE-2013-3307, affecting Linksys models, and CVE-2016-5681, affecting D-Link models.
Execution
1 technique
Execution
Persistence
4 techniques
Persistence
Default logins invite trouble - switching them strengthens access control.
The malware then installs a SSH backdoor, modifying configurations to maintain long-term control.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
Obfuscated communication: AryStinger uses HTTP and HTTPS, with Protocol Buffers and XOR-obfuscated data. A quick packet capture will not show clear command text moving between the device and its control servers.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
3 techniques
Discovery
This newer edition brings extra functions: it scans IPs and DNS entries, runs commands remotely, drops payloads, explores local networks.
Lateral Movement
2 techniques
Lateral Movement
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
Obfuscated communication: AryStinger uses HTTP and HTTPS, with Protocol Buffers and XOR-obfuscated data.
Unlike typical router botnets, which launch DDoS attacks, AryStinger acts as the reconnaissance and proxy network before threat actors prompt attacks... XLab said the botnet's covert infrastructure allows threat actors to obfuscate their true locations while information gathering on future targets.
IOCs tracked for this family
80 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
AryStinger is a malware family targeting routers and NAS devices, used to build a covert proxy and reconnaissance infrastructure. It registers infected devices with C2, distributes scanning tasks, supports port scanning, service identification, subdomain enumeration, traffic tunneling, intranet scanning, script execution, and establishes persistent remote access via dropbear or gs-netcat.
A Linux malware family targeting outdated Realtek RTL819X-based routers and NAS devices to build a covert reconnaissance and intrusion-support infrastructure. It performs distributed scanning, service identification, subdomain enumeration, traffic tunneling, and covert task execution, while using infected devices as relay/executor nodes. The NAS-focused Go variant also supports attacker-supplied Shell, Go, Java, and Python code execution.
A malware family targeting end-of-life routers and QNAP NAS devices to build a distributed reconnaissance and proxy network. It performs internet and internal network scanning, service fingerprinting, subdomain enumeration, traffic tunneling, command execution, and can distribute scanning tasks across infected nodes while relaying operator traffic through compromised devices.
Botnet targeting outdated routers and some NAS devices. It turns compromised devices into remotely managed proxies used for scanning, traffic tunneling, distributed reconnaissance, DNS setting changes, browser traffic redirection, and potential interception or theft of network traffic. A Go-based NAS variant can also execute commands, launch additional payloads, perform IP/DNS scanning, and conduct local network reconnaissance.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.