Close Menu
Most Read

AryStinger malware targets legacy routers for proxy network.

Staff WriterBy No Comments3 Mins Read1 Views

Quick Takeaways

  1. A new malware, AryStinger, hijacks outdated home routers (2012-2015 Realtek chips) to create a covert reconnaissance network, targeting at least 4,300 devices mainly in South Korea and China.
  2. AryStinger exploits vintage vulnerabilities (CVE-2013-3307, CVE-2016-5681, CVE-2025-11837) to infect devices through network scans, tunneling traffic, and remote commands, while evading detection.
  3. Infected routers serve as passive nodes for fingerprinting, subdomain enumeration, and command execution, significantly enhancing the attacker’s ability to probe and compromise wider networks.

The Threat, Techniques, and Targets

The AryStinger malware infects over 4,300 routers, mainly those built with Realtek RTL819X chips from around 2012 to 2015. It is used to create a proxy and reconnaissance network. Unlike typical botnets used for DDoS attacks, AryStinger focuses on gathering information before attacking. It scans the internet, fingerprints services, enumerates subdomains, tunnels traffic, and executes commands. The malware operates on infected routers and NAS devices.

AryStinger employs two types of malware builds. The lightweight build runs on routers and performs DNS scans and tunneling. The more developed build runs on NAS devices and does detailed network scans, runs tools, and executes code. It communicates with command-and-control servers using obfuscated HTTP or HTTPS traffic. The infection spreads through old vulnerabilities, such as CVE-2013-3307 in Linksys and CVE-2016-5681 in D-Link devices. A second strain exploits a flaw in QNAP NAS machines through CVE-2025-11837.

Most infected devices are D-Link models, especially the DIR-850L. The infections are concentrated in South Korea and China, but also appear in Sweden, Malaysia, and Singapore.

Impact, Security Implications, and Remediation

AryStinger can turn routers into hidden parts of a larger attack and reconnaissance network. This can help bad actors gather information or launch further attacks. Because the malware persists by maintaining access through SSH or other tools, it can remain hidden for a long time.

The main security concern is that outdated hardware and firmware are still vulnerable, giving attackers an easy way to get inside networks. Organizations should check for outbound connections to known command-and-control servers and look for unusual processes or files on affected devices. If any infected equipment is found, the best step is to retire or replace outdated routers and disable remote management features.

Since the malware exploits old vulnerabilities, users should consult the device vendors or security authorities for specific guidance on patching or mitigation measures. It is critical to act quickly to remove any infected devices and strengthen network defenses against such threats.

Stay Ahead with the Latest Tech Trends

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Access comprehensive resources on technology by visiting Wikipedia.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.