- QiAnXin XLab discovered “AryStinger”, a malware that exploits old D-Link/Linksys router flaws (CVE‑2013‑3307, CVE‑2016‑5681) to build a proxy/reconnaissance network
- So far, 4,300 infected routers, mainly in South Korea (48%) and China (32%), and QNAP NAS devices were also attacked via CVE-2025-11837.
- Compromised devices enable scanning, tunneling, and covert control; Researchers recommend monitoring logs, binaries in /tmp/bin, and suspicious processes like syswapd0h either syswapd0w
Cybersecurity researchers QiAnXin XLab warn of an ongoing campaign to create a distributed reconnaissance and proxy network out of people’s routers and NAS devices.
The campaign targets outdated and unsupported routers (mainly D-Link and Linksys), powered by Realtek’s RTL819X chips, which were a popular choice between 2012 and 2015. Attackers are exploiting two (old) vulnerabilities, CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link models, to infect the devices with a previously undetected piece of malware called AryStinger.
According to the researchers, AryStinger is used during the reconnaissance and planning stages of a more serious cyberattack. Devices infected with this malware can scan the Internet, fingerprint services, enumerate subdomains, funnel traffic, and execute commands on demand, all while hiding the location (and true identity) of the attackers.
Target NAS devices
“Once compromised by malware like AryStinger, which possesses covert reconnaissance and control capabilities, it is equivalent to a hacker placing a permanent ‘stealth listening device’ and ‘attack springboard’ within your network,” the researchers said.
QiAnXin’s XLab says that so far, AryStinger has infected 4,300 routers, but emphasizes that this is not the final number and with the ongoing campaign, it will increase further.
The majority of victims are in South Korea (48%) and China (32%), highlighting Sweden, Malaysia and Singapore.
AryStinger also targets QNAP NAS devices, exploiting a code injection flaw in the device’s Malware Remover. This flaw, tracked as CVE-2025-11837, was first discovered during last year’s Pwn2Own event and was patched in November 2025. Researchers don’t know how many of these devices are currently infected and say the 4,300 figure only relates to routers.
Researchers did not attribute this attack to any particular threat actor.
To defend against AryStinger, researchers recommend monitoring logs for outgoing connections to C2 and download domains (found here), checking /tmp/bin for unrecognized binaries, and looking for processes called syswapd0h or syswapd0w.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
