- QiAnXin XLab exposed “AryStinger”, malware that exploited old D-Link/Linksys router flaws (CVE-2013-3307, CVE-2016-5681) to build a proxy/reconnaissance network
- So far, 4,300 routers are infected, mostly in South Korea (48%) and China (32%), with QNAP NAS devices also targeted via CVE-2025-11837
- Compromised devices enable scanning, tunneling and covert control; researchers advise monitoring logs, binaries in /tmp/bin and suspicious processes such as syswapd0h or syswapd0w
Cybersecurity researchers QiAnXin XLab warn of an ongoing campaign to create a distributed reconnaissance and proxy network out of people’s routers and NAS devices.
The campaign targets outdated and unsupported routers (mostly D-Link and Linksys) powered by Realtek’s RTL819X chips, which were a popular choice between 2012 and 2015. The attackers are exploiting two (ancient) vulnerabilities, CVE-2013-3307 in Linksys models and CVE-5811 to 5-611, and CVE-5811. devices with a previously undetected piece of malware called AryStinger.
According to the researchers, AryStinger is used during reconnaissance and planning of a more serious cyber attack. Devices infected with this malware can scan the Internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands as needed, all while hiding the attacker’s location (and true identity).
Targeting NAS devices
“Once compromised by malware like AryStinger, which possesses reconnaissance and covert control capabilities, it is equivalent to a hacker placing a permanent ‘invisible listening device’ and ‘attack springboard’ in your network,” the researchers said.
QiAnXin’s XLab says that AryStinger infected 4,300 routers so far, but stresses that this is not the final number, and with the campaign ongoing, it will increase even more.
The majority of victims are located in South Korea (48%) and China (32%), with notable mentions such as Sweden, Malaysia and Singapore.
AryStinger also targets QNAP’s NAS devices and exploits a code injection flaw in the device’s Malware Remover. This bug, tracked as CVE-2025-11837, was first discovered during last year’s Pwn2Own event and was patched in November 2025. The researchers don’t know how many of these devices are currently infected, saying the 4,300 number only relates to routers.
The researchers did not attribute this attack to any specific threat actor.
To defend against AryStinger, the researchers recommend monitoring the logs for any outgoing connections to C2 and download domains (found here), checking /tmp/bin for unrecognized binaries, and looking for processes called syswapd0h or syswapd0w.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
