AryStinger, a newly documented botnet tracked by QiAnXin XLab, has compromised more than 4,300 legacy routers and turned them into distributed infrastructure for scanning, proxying, tunneling, and command execution. The campaign is notable because it is built around old networking gear, including router families tied to Realtek RTL819X-era hardware and vulnerabilities that have been public for years.
The research, published June 17, describes a botnet that is less focused on simple denial-of-service traffic than on the earlier stages of intrusion. Infected devices can act as remotely controlled “executors” for port scanning, service discovery, subdomain enumeration, traffic forwarding, and internal reconnaissance. That makes a compromised router useful as a quiet springboard before a larger attack begins.
The practical message is blunt: a router that has stopped receiving security updates is not merely obsolete. If it is still connected to the internet, it can become part of someone else’s proxy network, expose the local network to follow-on activity, and make malicious traffic appear to come from an ordinary home or small-business connection.
What AryStinger Is Doing
XLab said it first saw related activity on March 12, when its threat-awareness system detected an ELF sample spreading through older flaws tracked as CVE-2013-3307 and CVE-2016-5681. Those vulnerabilities affect router devices more than a decade old, including D-Link and Linksys-class equipment. The researchers later captured a related Go-based sample targeting NAS devices through CVE-2025-11837.
The router-focused version is implemented in C, while the NAS-focused variant is written in Go and appears to have a broader execution toolkit. XLab tied the family name to source-code path clues that referenced “Ary-Attack,” then named the malware AryStinger based on its behavior and technical lineage.
Once running, AryStinger communicates with command-and-control servers over HTTP or HTTPS. XLab reported that the traffic uses Protobuf encoding with simple XOR obfuscation, then waits for tasks after authenticating and receiving configuration updates. The supported tasks go beyond basic botnet behavior: internal and external network scanning, proxy forwarding, system command execution, payload execution in Go, Java, or Python source form, and remote management through tools such as Dropbear or gs-netcat.
The “executor” design matters because it lets an operator split a large reconnaissance job into smaller pieces and distribute those jobs across many compromised routers. Instead of one server visibly scanning the internet, many residential or small-office devices can perform slices of the work in parallel. That can make early-stage attack traffic harder to attribute and harder to block by reputation alone.
Why Old Routers Keep Showing Up in Botnets
The AryStinger findings fit a broader pattern. In March, the FBI warned that AVrecon-infected routers and IoT devices had been used as residential proxies through the SocksEscort service, which authorities said had compromised and sold access to about 369,000 devices since 2020. D-Link later noted that several legacy models referenced by the FBI, including DIR-818LW, DIR-850L, and DIR-860L, had already reached end-of-life or end-of-service status.
That lifecycle detail is the heart of the problem. Many home and small-office routers sit in service for years after the vendor stops issuing firmware updates. Even when a patch exists, owners often have to log into an admin panel and apply it manually. Once support ends, newly found bugs may never be fixed at all.
D-Link’s March support notice for legacy models recommended retiring affected devices, changing administrator passwords, using strong Wi-Fi encryption, disabling remote management unless strictly required, reviewing networks for unusual activity, and recognizing that rebooting alone may not remove a persistent infection. The FBI made a similar point in its AVrecon alert: some router infections can survive through modified firmware or disabled update features, while devices without endpoint security tools are difficult for owners to monitor.
AryStinger also shows why compromised routers are useful even when they are not used for noisy attacks. Residential proxy traffic can bypass filters that treat consumer IP addresses as lower risk. A hijacked router can hide the attacker’s true location, make scanning appear to originate from a normal household connection, and potentially give the operator a foothold near other devices on the same network.
What Router Owners Should Check Now
The most important step is to identify the router model and support status. If the device is end-of-life, replacement is usually the cleanest fix. That is especially true for routers still exposed to the internet, routers that offer remote administration, and older devices that have not received firmware updates in years.
- Check the router’s exact model and hardware revision, then compare it with the vendor’s support or security-advisory pages.
- Install the latest available firmware if the device is still supported, but do not assume that a years-old final firmware release addresses newly disclosed vulnerabilities.
- Disable remote management, UPnP exposure, and any unused internet-facing services unless there is a clear operational need.
- Change the router administrator password and Wi-Fi password to strong, unique values, especially if they have been reused elsewhere.
- Look for unknown DNS settings, unfamiliar port-forwarding rules, unexpected admin accounts, or unexplained outbound traffic.
- For small businesses, segment aging network equipment away from sensitive systems while planning replacement.
Factory reset and reflashing can help in some cases, but they are not reliable cures for every router botnet infection. The FBI warned in March that some AVrecon infections involved firmware changes that disabled update or flashing features. If a router is old enough to be unsupported and compromise is suspected, replacement is a safer assumption than cleanup.
The Bigger Risk Is the Forgotten Network Edge
Consumers often replace phones and laptops long before they replace routers. Small offices may keep the same broadband gateway until it fails. Attackers have adapted to that reality. Old routers are always-on, poorly monitored, often exposed to the internet, and frequently outside the normal software-update habits that protect PCs and phones.
AryStinger is not yet attributed to a known threat group, and XLab said several questions about the campaign remain unresolved. But its capabilities are enough to make the defensive lesson clear. The router at the edge of a home or office network should be treated like security infrastructure, not furniture. Once it falls out of support, it becomes a long-lived risk sitting between every device inside the network and the public internet.
Sources: QiAnXin XLab, BleepingComputer, D-Link security announcement, and the FBI AVrecon FLASH.
