4,300+ Outdated Routers Hijacked in Stealthy Spy Infrastructure by AryStinger malware
AryStinger is a malware family that hijacks over 4,300 outdated routers built on Realtek RTL819X chips, primarily D-Link DIR-850L devices, to create a stealthy reconnaissance and intrusion support network. It exploits old vulnerabilities disclosed in 2013 and 2016 to install a lightweight Linux binary that performs distributed scanning and information gathering without typical malicious activities like file encryption or cryptocurrency mining. A second, more capable Go-based build targets NAS devices via a 2025 code injection vulnerability. The malware communicates with its command and control infrastructure using obfuscated protocols and establishes persistence via Dropbear SSH. The infected routers act as Executors that perform parallel scanning tasks, enabling efficient network footprinting. The infection is concentrated mainly in South Korea and China but also affects other countries. The malware's low detection rate and use of legacy hardware with no firmware updates pose ongoing risks to privacy, enterprise security, and national infrastructure.
AI Analysis
Technical Summary
AryStinger malware exploits two old vulnerabilities (CVE-2013-3307 and CVE-2016-5681) to infect routers based on Realtek RTL819X chips, mainly D-Link DIR-850L models, turning them into nodes for distributed reconnaissance and intrusion support. The malware does not perform destructive actions like encryption or mining but focuses on port scanning, service identification, and subdomain enumeration. It communicates with its C2 servers using HTTP with Protobuf-encoded and XOR-obfuscated traffic and maintains persistence by installing Dropbear SSH on port 2332. A second Go-based variant targets NAS devices via CVE-2025-11837, enabling execution of attacker-supplied source code in multiple languages. The distributed task architecture allows efficient scanning by dividing tasks among infected devices. The infection base exceeds 4,300 routers worldwide, with a significant presence in South Korea (48%) and China (32%). The malware has a very low detection rate in mainstream security tools, and the underlying hardware has not received firmware updates since 2015, making remediation challenging. The threat is ongoing and poses risks to personal privacy, enterprise security, and national security.
Potential Impact
The malware compromises over 4,300 outdated routers, primarily D-Link DIR-850L devices, turning them into a covert network infrastructure for reconnaissance and intrusion support. This enables attackers to perform large-scale network scanning, service identification, and subdomain enumeration while hiding their true location. The infected devices act as persistent relay nodes, potentially exposing personal, enterprise, and national network environments to espionage and further attacks. The low detection rate and use of legacy hardware with no firmware updates increase the risk of prolonged undetected compromise. The malware's capabilities could facilitate subsequent intrusions and intelligence gathering, posing a medium-level threat to affected networks.
Mitigation Recommendations
No official patch is available for the underlying vulnerabilities in the affected routers, as the hardware has not received firmware updates since 2015. The recommended mitigation is to retire and replace outdated routers that no longer receive security updates. Network defenders should monitor for outbound connections to known AryStinger C2 domains such as ajb8.com, dataexplore.cc, and dataexplore.co. Additionally, check infected devices for unexpected binaries in /tmp/bin and processes named syswapd0h or syswapd0w. Because the malware targets legacy hardware with no vendor support, hardware replacement is the most effective long-term remediation.
Affected Countries
South Korea, China, Sweden, Malaysia, Singapore
4,300+ Outdated Routers Hijacked in Stealthy Spy Infrastructure by AryStinger malware
Description
AryStinger is a malware family that hijacks over 4,300 outdated routers built on Realtek RTL819X chips, primarily D-Link DIR-850L devices, to create a stealthy reconnaissance and intrusion support network. It exploits old vulnerabilities disclosed in 2013 and 2016 to install a lightweight Linux binary that performs distributed scanning and information gathering without typical malicious activities like file encryption or cryptocurrency mining. A second, more capable Go-based build targets NAS devices via a 2025 code injection vulnerability. The malware communicates with its command and control infrastructure using obfuscated protocols and establishes persistence via Dropbear SSH. The infected routers act as Executors that perform parallel scanning tasks, enabling efficient network footprinting. The infection is concentrated mainly in South Korea and China but also affects other countries. The malware's low detection rate and use of legacy hardware with no firmware updates pose ongoing risks to privacy, enterprise security, and national infrastructure.
Reddit Discussion
AryStinger hijacks outdated routers via old flaws, turning 4,300+ devices into a stealth network for reconnaissance and intrusion support.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AryStinger malware exploits two old vulnerabilities (CVE-2013-3307 and CVE-2016-5681) to infect routers based on Realtek RTL819X chips, mainly D-Link DIR-850L models, turning them into nodes for distributed reconnaissance and intrusion support. The malware does not perform destructive actions like encryption or mining but focuses on port scanning, service identification, and subdomain enumeration. It communicates with its C2 servers using HTTP with Protobuf-encoded and XOR-obfuscated traffic and maintains persistence by installing Dropbear SSH on port 2332. A second Go-based variant targets NAS devices via CVE-2025-11837, enabling execution of attacker-supplied source code in multiple languages. The distributed task architecture allows efficient scanning by dividing tasks among infected devices. The infection base exceeds 4,300 routers worldwide, with a significant presence in South Korea (48%) and China (32%). The malware has a very low detection rate in mainstream security tools, and the underlying hardware has not received firmware updates since 2015, making remediation challenging. The threat is ongoing and poses risks to personal privacy, enterprise security, and national security.
Potential Impact
The malware compromises over 4,300 outdated routers, primarily D-Link DIR-850L devices, turning them into a covert network infrastructure for reconnaissance and intrusion support. This enables attackers to perform large-scale network scanning, service identification, and subdomain enumeration while hiding their true location. The infected devices act as persistent relay nodes, potentially exposing personal, enterprise, and national network environments to espionage and further attacks. The low detection rate and use of legacy hardware with no firmware updates increase the risk of prolonged undetected compromise. The malware's capabilities could facilitate subsequent intrusions and intelligence gathering, posing a medium-level threat to affected networks.
Mitigation Recommendations
No official patch is available for the underlying vulnerabilities in the affected routers, as the hardware has not received firmware updates since 2015. The recommended mitigation is to retire and replace outdated routers that no longer receive security updates. Network defenders should monitor for outbound connections to known AryStinger C2 domains such as ajb8.com, dataexplore.cc, and dataexplore.co. Additionally, check infected devices for unexpected binaries in /tmp/bin and processes named syswapd0h or syswapd0w. Because the malware targets legacy hardware with no vendor support, hardware replacement is the most effective long-term remediation.
Affected Countries
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:malware","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["malware"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a390d44eed863c81ea61c0c
Added to database: 06/22/2026, 10:24:04 UTC
Last enriched: 06/22/2026, 10:24:12 UTC
Last updated: 06/22/2026, 18:39:06 UTC
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.