Security researchers have uncovered a stealthy botnet that has quietly taken over more than 4,300 aging home and small-office routers around the world and turned them into a distributed launch pad for cyberattacks. Rather than herding the devices into the usual denial-of-service or crypto-mining swarm, the operators are using them as disposable infrastructure for the quiet "footprinting" stage that precedes an intrusion, scanning the internet, mapping services, and relaying traffic so the real attacker stays hidden.
The campaign was detailed by researchers at QiAnXin XLab, who first spotted the malware on March 12, 2026, spreading to old Linksys and D-Link routers through vulnerabilities disclosed more than a decade ago. They named the new malware family AryStinger after a project path (Ary-Attack) left behind in the code.
What is affected
AryStinger targets routers built on Realtek RTL819X chips, hardware that was mainstream roughly between 2012 and 2015 and that in many homes has never been patched or replaced. The initial intrusions abused CVE-2013-3307 and CVE-2016-5681, two flaws in long-forgotten Linksys and D-Link models. A second variant, written in Go, was later seen hitting network-attached storage (NAS) devices through a newer flaw, CVE-2025-11837. Infections cluster heavily in South Korea (about 48 percent) and China (about 32 percent), with Sweden, Malaysia, and Singapore following. The D-Link DIR-850L accounts for roughly three quarters of the compromised devices.
How the attack works
Each infected device becomes what the operators call an "Executor." A central command-and-control server splits a large scanning job into small chunks and farms them out to thousands of routers in parallel, a design that lets the attacker complete reconnaissance quickly while blending into ordinary internet noise. Beyond scanning, AryStinger can build traffic tunnels and proxies, run system commands, deliver follow-on payloads in Go, Java, or Python, and open persistent remote channels using tools such as dropbear and gs-netcat. The result is a single foothold that combines concealment, relay, and offensive capability. The malware encodes its traffic with Protobuf and light XOR obfuscation, and ships with a hardcoded key, sh_#@!_2024_secret, whose "2024" hints the activity may stretch back further than the first sighting.
This is the latest reminder that abandoned consumer routers have become prime real estate for stealthy operators. IntelFusions has previously tracked how the TheMoon botnet fed a 40,000-router proxy service and how a China-linked group built a spy network on SOHO routers.
What you should do
Old routers rarely receive security updates, so the most durable fix is replacement: retire end-of-life RTL819X devices and any NAS exposed directly to the internet. Where that is not possible, disable remote administration, restrict management interfaces to the local network, and reboot devices to clear memory-resident infections. Watch for an unexpected dropbear SSH service on an unusual port, which XLab used as a fingerprint to find infected hosts.
Indicators of compromise
Selected defanged indicators from the research: C2 hosts hxxp://hgodpcx[.]ajb8[.]com, hxxps://hgodpcx[.]auq8[.]com/t, and hxxp://opi7[.]com; sample MD5 abae20b26b70b526bebb5e2617092ede. The full indicator set is available in the original XLab report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.