AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly discovered botnet called AryStinger has quietly hijacked more than 4,300 routers across the globe, turning them into a silent army of attack proxies.

The threat actors behind this campaign are exploiting decade-old vulnerabilities to build a covert reconnaissance infrastructure, and what makes it particularly alarming is how well it manages to stay hidden from traditional security tools.

The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities, CVE-2013-3307 and CVE-2016-5681.

These flaws affect several Linksys and D-Link router models from over ten years ago. The malware was going completely undetected, with zero flags across major security scanning platforms.

Researchers from Qianxin XLab said in a report shared with Cyber Security News (CSN) that they identified and documented this unusual attack campaign, noting that it targets router devices built on the RTL819X series chips, which were most widely used between 2012 and 2015.

The team later captured a related sample on April 26 targeting NAS devices, spread through CVE-2025-11837. Based on its source code path and behavior, they named this new malware family AryStinger.

Unlike typical botnets that focus on DDoS attacks or mining cryptocurrency, AryStinger is built for something far more calculated. It is designed to quietly gather information and serve as a launch pad for deeper intrusions.

The infected router becomes a ghost node, helping attackers hide their real location while conducting reconnaissance on other networks.

The hardcoded encryption key found inside AryStinger reads “sh_#@!_2024_secret,” hinting that this campaign may have been active since at least 2024.

Subsequent task dispatch (Source – Qianxin)

The full scale of the operation remains unknown, since current infection counts only cover RTL819X routers and do not yet reflect how many NAS devices may also be compromised.

AryStinger Botnet Hijacks 4,300+ Routers

Once AryStinger infects a router, it registers the device with a command-and-control server by sending device fingerprint data including MAC address, IP addresses, operating system version, and CPU architecture.

This data is encrypted before transmission. The server then assigns each infected device a unique Executor ID, turning it into a managed node in the botnet.

Each infected node, called an Executor, receives a small piece of a larger scanning task. The attacker distributes these chunks across hundreds of devices simultaneously, enabling fast and distributed reconnaissance across the internet.

XOR decryption and Protobuf deserialization (Source – Qianxin)

The botnet supports port scanning, service identification, subdomain enumeration, and traffic tunneling, all while keeping the attacker’s true identity hidden.

The infected devices are predominantly D-Link DIR-850L routers, accounting for about 75 percent of all known infections. South Korea holds the highest share at 48.45 percent, followed by China at 31.82 percent, Sweden at 6.40 percent, Malaysia at 3.50 percent, and Singapore at 2.50 percent.

Two Versions, One Dangerous Goal

AryStinger comes in two distinct versions that share the same core logic. The RTL819X version is written in C and is a lean build made specifically for old routers, focusing mainly on DNS scanning and tunnel functionality.

The Standard version is written in Go and targets NAS devices, with a broader feature set including intranet scanning, script execution, and the ability to run payloads written in Go, Java, or Python.

The Standard version’s ScriptWork feature is particularly flexible, allowing attackers to send raw code directly to infected devices without compiling separate binaries for different platforms.

Both versions establish persistent backdoors on infected devices, either through a lightweight SSH server called dropbear or through gs-netcat, giving attackers long-term remote access.

Security researchers strongly recommend that users check their network traffic for any communication with the IOC domains in this report.

Users should also inspect the /tmp/bin directory on their device for unknown files, and verify whether processes named syswapd0h or syswapd0w are actively running.

Any router whose firmware has not received updates in years should be replaced or taken offline without delay.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 107.150.106.14 Scanner IP used to spread AryStinger via CVE-2013-3307 and CVE-2016-5681
C2 Domain http://opi7.com AryStinger Command and Control server
C2 Domain http://xook.ajb8.com AryStinger Command and Control server
C2 Domain http://xonice.ahb8.com AryStinger Command and Control server
C2 Domain http://eixfi.ajb8.com AryStinger Command and Control server
C2 Domain https://dybic.ajb8.com AryStinger Standard version C2
C2 Domain https://sdkv1.dataexplore.cc AryStinger Tunnel C2
C2 Domain https://sdkv1.dataexplore.co AryStinger Tunnel C2
Downloader Domain hgodpcx.auq8.com Downloader server for AryStinger Standard version
Downloader Domain hgodpcx.ajb8.com Downloader server for AryStinger RTL819X version
Downloader Domain io.ary2.com Additional downloader domain
URL https://hgodpcx.ajb8.com/prod/RTL819X/{version}/manifest.json RTL819X version manifest URL
URL https://hgodpcx.ajb8.com/prod/standard/{version}/manifest.json Standard version manifest URL
URL http://hgodpcx.ajb8.com/prod/RTL819X/{version}/syswapd0 RTL819X sample download URL
URL https://hgodpcx.ajb8.com/prod/standard/{version}/syswapd0-linux-amd64 Standard sample download URL
MD5 Hash abae20b26b70b526bebb5e2617092ede AryStinger RTL819X syswapd0 V2.0.28
MD5 Hash 4c80d17fa5db5b1c2aaddb5351e9cb6b AryStinger RTL819X syswapd0 V2.0.27
MD5 Hash a5101caf0a1789d6a4bc30e644d6b152 AryStinger Standard syswapd0-linux-amd64 V1.0.102
MD5 Hash df0c9f6289e56f31c0700f40590857d3 AryStinger RTL819X syswapd0 V2.0.19
MD5 Hash 8e55d712a99d2cd45e8592c6dda5110 AryStinger RTL819X syswapd0 V2.0.21
MD5 Hash 0ba24db187836efe77ed7e75d279d33 AryStinger RTL819X syswapd0 V2.0.3
MD5 Hash 6f761f63642cd6329a29cfad80be50c3 AryStinger RTL819X syswapd0 V2.0.4
MD5 Hash dbcc5a3e6afe41060d6357e24dc03fd3 AryStinger RTL819X syswapd0 V2.0.5
MD5 Hash a97e552f5e655e1cfa56853f65beeb0e AryStinger RTL819X syswapd0 V2.0.6
MD5 Hash c113739225ece5f6e4805466dec1401d AryStinger RTL819X syswapd0 V2.0.7
MD5 Hash 0a2d2a4ec1ca2aa6a23a35abb5a75451 AryStinger RTL819X syswapd0 V2.0.8
MD5 Hash dd1e5a3cd9f842bd70be45a62c3ebbf6 AryStinger RTL819X syswapd0 V2.0.9
MD5 Hash 16fed5909de4f50351fc33fbfcf156df AryStinger RTL819X syswapd0 V2.0.10
MD5 Hash 6f91d1f8f0cbaab137351936b52f7a94 AryStinger RTL819X syswapd0 V2.0.11
MD5 Hash fc4cee066d8526f5806bb23278f647da AryStinger RTL819X syswapd0 V2.0.12
MD5 Hash 7b361a6d0d42309d09ec9000b53712b3 AryStinger RTL819X syswapd0 V2.0.13
MD5 Hash 18f894a3168ee0b809eed321a2e748b4 AryStinger RTL819X syswapd0 V2.0.14
MD5 Hash 0627f034c42549e2130734b5f8dbf854 AryStinger RTL819X syswapd0 V2.0.15
MD5 Hash b9406e969cdfdaef433e93d0b9ad1f5d AryStinger RTL819X syswapd0 V2.0.16
MD5 Hash f093891e281bcd9c8016dea7d89cc671 AryStinger RTL819X syswapd0 V2.0.17
MD5 Hash 9221423d7daff9e64f7e2af54f911fea AryStinger RTL819X syswapd0 V2.0.18
MD5 Hash 7f2b2e3516fa454adfd51f857ae80adf AryStinger RTL819X syswapd0 V2.0.20
MD5 Hash dbdd4d8e4aef3ce69cf65ed470425c89 AryStinger RTL819X syswapd0 V2.0.21
MD5 Hash d79270ba44e665ebb0383eb77a52e38b AryStinger RTL819X syswapd0 V2.0.22
MD5 Hash 36ff9f683e870145aaf5a715bc934762 AryStinger RTL819X syswapd0 V2.0.23
MD5 Hash dc35086ba0f5f83545c32a023a1f3be4 AryStinger RTL819X syswapd0 V2.0.24
MD5 Hash 7461445fca3f9d8911148e0908d33c3b AryStinger RTL819X syswapd0 V2.0.25
MD5 Hash a3181550e0e0a6153a44b7a0495535b0 AryStinger RTL819X syswapd0 V2.0.26
MD5 Hash fffcbd0ac2cb545496890f50395181ff AryStinger RTL819X syswapd0 V2.0.29
MD5 Hash a3e3197e2344c51e95c063541ea22205 AryStinger RTL819X syswapd0 V2.0.30
MD5 Hash e9916ff56074725f5739ead5091fe6c7 AryStinger RTL819X syswapd0 V2.0.31
MD5 Hash ff11e000f377c54dea928b09ebad9df8 AryStinger Standard syswapd0-linux-amd64 V1.0.61
MD5 Hash fcc9de5c040307e6ac3011e8b379f6d9 AryStinger Standard syswapd0-linux-amd64 V1.0.62
MD5 Hash ed9209111b995cbe78f8e097c289f127 AryStinger Standard syswapd0-linux-amd64 V1.0.63
MD5 Hash b104a05e8a2e218adfb7654ba8bf3d49 AryStinger Standard syswapd0-linux-amd64 V1.0.64
MD5 Hash 9660895fa3fcabbef466703636f6d51d AryStinger Standard syswapd0-linux-amd64 V1.0.66
MD5 Hash b0f4f813a9de094c06821366e2459aee AryStinger Standard syswapd0-linux-amd64 V1.0.67
MD5 Hash 8cc249b16adf7e4a658af7fa31d7998e AryStinger Standard syswapd0-linux-amd64 V1.0.68
MD5 Hash 9973676bfa9fe89aa5c76e3cd0b21ae8 AryStinger Standard syswapd0-linux-amd64 V1.0.76
MD5 Hash d997efa98afab2c003654b8d5ce2bedf AryStinger Standard syswapd0-linux-amd64 V1.0.79
MD5 Hash 8deb2a60d42de0f8f8786e485d2f046f AryStinger Standard syswapd0-linux-amd64 V1.0.80
MD5 Hash dc71c10ca0b2c83b6b3a6a062fca314f AryStinger Standard syswapd0-linux-amd64 V1.0.81
MD5 Hash 6869f24aecd75e2144aba8dc03dc2d0f AryStinger Standard syswapd0-linux-amd64 V1.0.88
MD5 Hash 05627d1bddb7292bb45139244f46051f AryStinger Standard syswapd0-linux-amd64 V1.0.89
MD5 Hash 19232d0eff3ef7aee3b5d7620c72358c AryStinger Standard syswapd0-linux-amd64 V1.0.90
MD5 Hash 8edb3ea62a7e643ba1a88d20799cf94f AryStinger Standard syswapd0-linux-amd64 V1.0.91
MD5 Hash ea2fe3b409da439aec25cf7eabf5b7a7 AryStinger Standard syswapd0-linux-amd64 V1.0.93
MD5 Hash 0ffb4b4e430f4b69216fb9d2e082e482 AryStinger Standard syswapd0-linux-amd64 V1.0.95
MD5 Hash 5d9cdb072415b191df3f444f53b2ff4b AryStinger Standard syswapd0-linux-amd64 V1.0.96
MD5 Hash 44805c4b36bd3d97ba8ecaf6fe103572 AryStinger Standard syswapd0-linux-amd64 V1.0.97
MD5 Hash d2fd89ebdad493ec9ac76ce35213cec4 AryStinger Standard syswapd0-linux-amd64 V1.0.98
MD5 Hash a2d54fcd0c2816f607a5962523fc648c AryStinger Standard syswapd0-linux-amd64 V1.0.101
MD5 Hash e6b27080aa1ce1901a23dd75716d9092 AryStinger Tunnel nat_tunnel-linux-x86_64
File Name syswapd0h AryStinger malicious process name (RTL819X variant)
File Name syswapd0w AryStinger malicious process name (RTL819X variant)
File Name nat_tunnel-linux-x86_64 AryStinger Tunnel tool binary
Encryption Key sh_#@!2024_secret Hardcoded XOR encryption key used in C2 communication

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.