Invisible Sting: Over 4000 Outdated Routers Compromised by AryStinger, Becoming Global Attack Springboards for Hackers
Essential information
- Published
- 18/06/2026 00:48
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- arystinger botnet cve-2013-3307 cve-2016-5681 cve-2025-11837 distributed scanning legacy routers reconnaissance infrastructure rtl819x subdomain enumeration traffic tunneling
- Related entities
- 3 vulnerabilities (cve), 23 indicators, 23 observables, 20 techniques (mitre), 1 malware
Description
AryStinger is a sophisticated botnet targeting legacy routers based on RTL819X chipsets and NAS devices through vulnerabilities disclosed over a decade ago, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The malware exists in two versions: a C-based RTL819X variant for resource-constrained routers and a Go-based Standard version for NAS devices. Both communicate with command-and-control servers using Protobuf-encoded, XOR-encrypted traffic. Infected devices function as Executors in a distributed infrastructure, performing reconnaissance activities including port scanning, subdomain enumeration, and service identification. The botnet supports traffic tunneling, remote access via Dropbear or gs-netcat, and can execute payloads in Go, Java, and Python. Over 4,300 routers globally have been confirmed infected, predominantly D-Link models, with concentrations in South Korea, China, and Sweden. The infrastructure serves as both a concealment layer and attack platform for cyber espionage and intrusio...