Do Son 
Security researchers at QiAnXin XLab discovered over 4,300 legacy routers infected globally. They named this new threat the AryStinger malware. The Ministry of State Security also recently warned about outdated routers. Such devices serve as key entry points for cyber espionage. Consequently, administrators must take these threats seriously.
At a Glance
- Malware Family: AryStinger malware
- Threat Actor: Unknown
- Targets/Victims: Legacy RTL819X routers (D-Link, Linksys) and NAS devices. At least 4,300 confirmed infected routers.
- Delivery Vector: Exploiting CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837.
- Key Capabilities: Network scanning, traffic proxying, and source-level payload execution.
- Source: QiAnXin XLab.
TL;DR
Attackers exploit decade-old vulnerabilities to deploy AryStinger malware on legacy routers. Therefore, this campaign builds a massive infrastructure cluster for intrusion reconnaissance. Administrators must update or replace outdated networking equipment immediately.
Delivery
The campaign primarily targets routers running RTL819X series chips. Specifically, these chips were widely active between 2012 and 2015. Attackers spread the infection using known vulnerabilities. They specifically exploit CVE-2013-3307 and CVE-2016-5681. Additionally, researchers observed a homologous sample targeting NAS devices. This secondary attack relies on CVE-2025-11837. QiAnXin XLab states, “The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers.” The infected devices are mainly D-Link routers. Models include the DIR-850L and DIR-818LW. Geographically, the infections spread widely. South Korea holds roughly 48 percent of the victims. China follows with nearly 32 percent. Other affected countries include Sweden and Malaysia.
Infection Chain
The infection process involves multiple distinct stages. First, a malicious script pulls the latest version of the AryStinger malware. The RTL819X version uses a script to kill old processes. It targets processes named syswapd0h and syswapd0w. Then, it clears the temporary directory. The script sets up the new binary. The malware operates as a typical bot. It establishes a persistent remote management channel. For RTL819X routers, it deploys a lightweight SSH server. The standard version for NAS devices uses a different network tool. Furthermore, the malware supports source-level payloads. Attackers can run code in Go, Java, and Python. This design allows attackers to dynamically execute code. They do not need to compile binaries for different architectures. However, this method requires specific execution environments installed on the target. The malware saves its downloaded open-source toolset in temporary folders.
Command-and-Control and Data-Exfiltration Behavior
The bot communicates with its command server using HTTP and HTTPS. It encodes network traffic using Protobuf. Moreover, the malware adds simple XOR encryption. It uses a hardcoded key for this process. Upon startup, it collects device fingerprint information. This includes MAC addresses, device names, and IP addresses. The bot sends this data to the server for authentication. The server then assigns a unique executor ID. The bot uses distinct modules for its tasks. It runs an authentication service and a heartbeat service. It also runs a watchdog service to ensure persistence. Attackers can split massive scanning tasks into small chunks. They distribute these tasks to different bots for parallel execution. The malware integrates tools to scan internal networks. For instance, it uses open-source tools like fscan. It collects system configurations, running processes, and vulnerability data. Finally, it sends these aggregated scan results back to the command server. The malware can also act as a traffic proxy. This allows attackers to hide their true physical location. They route their attacks through the infected routers.
Defense or Detection Guidance
Defenders must actively search for signs of infection. Network administrators should monitor traffic for known malicious domains. However, do not rely solely on network indicators. Security teams must check devices for suspicious files. Look inside temporary directories for unknown binaries. Additionally, look for unexpected processes running in the background. Organizations should identify and isolate legacy networking equipment. Replace devices that no longer receive firmware updates. The Ministry of State Security warned about these specific dangers. They stated compromised routers threaten personal privacy and national security. Regular security audits help identify outdated hardware early. Catching vulnerable devices before attackers find them is crucial. Read the full technical breakdown on the QiAnXin XLab blog.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
