{
  "name": "Invisible Sting: Over 4000 Outdated Routers Compromised by AryStinger, Becoming Global Attack Springboards for Hackers",
  "slug": "invisible-sting-over-4000-outdated-routers-compromised-by-arystinger-becoming-global-attack-springboards-for-hackers",
  "description": "AryStinger is a sophisticated botnet targeting legacy routers based on RTL819X chipsets and NAS devices through vulnerabilities disclosed over a decade ago, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The malware exists in two versions: a C-based RTL819X variant for resource-constrained routers and a Go-based Standard version for NAS devices. Both communicate with command-and-control servers using Protobuf-encoded, XOR-encrypted traffic. Infected devices function as Executors in a distributed infrastructure, performing reconnaissance activities including port scanning, subdomain enumeration, and service identification. The botnet supports traffic tunneling, remote access via Dropbear or gs-netcat, and can execute payloads in Go, Java, and Python. Over 4,300 routers globally have been confirmed infected, predominantly D-Link models, with concentrations in South Korea, China, and Sweden. The infrastructure serves as both a concealment layer and attack platform for cyber espionage and intrusio...",
  "published": "2026-06-17T22:48:57.476000+00:00",
  "created_at": "2026-06-18T20:05:03.299000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-18T20:05:03.299000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "arystinger",
    "botnet",
    "cve-2013-3307",
    "cve-2016-5681",
    "cve-2025-11837",
    "distributed scanning",
    "legacy routers",
    "reconnaissance infrastructure",
    "rtl819x",
    "subdomain enumeration",
    "traffic tunneling"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "98e16ffc-3bf8-4baf-bc64-50c710114c32",
        "name": "CVE-2016-5681"
      },
      {
        "id": "31acc57c-a25d-4039-8f6d-c2f427f4e20f",
        "name": "CVE-2025-11837"
      },
      {
        "id": "8513931c-2e51-43a0-aa6a-265c8c9174f5",
        "name": "CVE-2013-3307"
      }
    ],
    "indicators": [
      {
        "id": "93a1ba22-8e80-4f0e-a7f3-e854fd5fd030",
        "name": "dybic.ajb8.com"
      },
      {
        "id": "61aa0f6f-17a1-4ed1-b797-ff6b8e6b671f",
        "name": "hgodpcx.auq8.com"
      },
      {
        "id": "858a9085-e444-4283-98bd-7b73df73c4fb",
        "name": "http://hgodpcx.ajb8.com"
      },
      {
        "id": "a6fe5736-2afa-4d35-8153-ead9d68b8b89",
        "name": "https://hgodpcx.ajb8.com/prod/RTL819X/"
      },
      {
        "id": "97a39b3e-8419-4cf7-9cc7-ba45a0b8653e",
        "name": "http://xook.ajb8.com"
      },
      {
        "id": "9dc702da-cb99-4bec-a2a8-83014f988d59",
        "name": "https://hgodpcx.ajb8.com/prod/standard/"
      },
      {
        "id": "10d3d9e2-32ce-438b-9b3b-addb0e426660",
        "name": "http://opi7.com"
      },
      {
        "id": "53282662-2def-4ad7-aabb-b40b69d3b6e3",
        "name": "hgodpcx.ajb8.com"
      },
      {
        "id": "79499e92-4568-4b64-b6e3-cd3247756ce0",
        "name": "https://hgodpcx.ajb8.com/n"
      },
      {
        "id": "715816ff-81ad-4c6d-8363-0ad7a201645d",
        "name": "io.ary2.com"
      },
      {
        "id": "bdacda77-b408-439e-b231-dfc3e36b3756",
        "name": "https://sdkv1.dataexplore.co"
      },
      {
        "id": "6a01f7b5-5bca-4793-b916-4ad306e15889",
        "name": "xook.ajb8.com"
      },
      {
        "id": "4d37f711-889e-45f4-a9de-f85b8a58cfbb",
        "name": "opi7.com"
      },
      {
        "id": "22c7f661-817f-40c2-8d0f-fe4650d70902",
        "name": "eixfi.ajb8.com"
      },
      {
        "id": "2ed3b762-f61f-4e7a-b2c2-e694e675d018",
        "name": "https://dybic.ajb8.com"
      },
      {
        "id": "3789cc32-714a-42e7-aba3-da58dd359791",
        "name": "http://eixfi.ajb8.com"
      },
      {
        "id": "f0e97afd-3772-485e-8316-cf4217528b76",
        "name": "https://hgodpcx.auq8.com/t"
      },
      {
        "id": "af461c5f-0160-4052-bd9f-696f00746105",
        "name": "sdkv1.dataexplore.co"
      },
      {
        "id": "20cc7fd2-3f49-4f09-8704-934fc090a35c",
        "name": "xonice.ahb8.com"
      },
      {
        "id": "e226add8-82cf-4e43-b817-f4fa53c55083",
        "name": "http://hgodpcx.ajb8.com/prod/RTL819X/"
      },
      {
        "id": "de282f2e-eada-4c81-92bb-4ca8bb177242",
        "name": "sdkv1.dataexplore.cc"
      },
      {
        "id": "6a6c751c-5c1a-4337-9519-3ce0a0e547a1",
        "name": "https://sdkv1.dataexplore.cc"
      },
      {
        "id": "552cd164-7965-4bb3-abe5-cd5d7ea4c83b",
        "name": "http://xonice.ahb8.com"
      }
    ],
    "attack_patterns": [
      {
        "id": "79a0325f-93d7-4d3b-8d07-81240999f98f",
        "name": "T1590.005"
      },
      {
        "id": "3b98bf45-b0e0-4070-90d0-686cbe0cd8d3",
        "name": "T1090.003"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "820fbdf8-7db2-4292-9a60-7eed3567be8d",
        "name": "T1210"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "7da5e441-74a1-4f10-87f4-603a83c2334d",
        "name": "T1595.002"
      },
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "d570881a-1f73-41ca-ad6c-fc29256c76f9",
        "name": "T1595"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "5dee2969-7083-430e-9083-73bab54c3a18",
        "name": "T1590"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      }
    ],
    "malware": [
      {
        "id": "f97389ea-a75c-469d-8d08-811dc757e601",
        "name": "AryStinger",
        "slug": "arystinger"
      }
    ],
    "observables": [
      {
        "id": "bafd40b1-ecb3-4ea7-beee-2df08b5f0beb",
        "name": "opi7.com"
      },
      {
        "id": "8e17d7a1-80cf-4785-accc-f459b810d020",
        "name": "xonice.ahb8.com"
      },
      {
        "id": "c310e448-9537-4335-8931-4fe78f05b9b3",
        "name": "hgodpcx.auq8.com"
      },
      {
        "id": "66ab0a85-5e82-43e5-bedb-37f16e26513b",
        "name": "dybic.ajb8.com"
      },
      {
        "id": "0e34baa4-a936-4d69-89e5-353936347242",
        "name": "io.ary2.com"
      },
      {
        "id": "c7c08478-728c-4222-8954-708ffbc8d82b",
        "name": "sdkv1.dataexplore.cc"
      },
      {
        "id": "12ec16ba-3e6c-4afd-9005-391ed5771a20",
        "name": "sdkv1.dataexplore.co"
      },
      {
        "id": "aa1c9549-3641-4a33-aa1a-3bea908c081f",
        "name": "hgodpcx.ajb8.com"
      },
      {
        "id": "a44dbe73-4620-412b-ba33-600cb7e39cd0",
        "name": "eixfi.ajb8.com"
      },
      {
        "id": "6b0827ae-6d77-4568-90c7-a6dc3e0efc4a",
        "name": "xook.ajb8.com"
      },
      {
        "id": "6c060ab0-5c8b-4d06-8c1a-18ce02296e1f",
        "name": "http://opi7.com"
      },
      {
        "id": "850cd3bc-f6a9-44df-8774-1aefcba6940b",
        "name": "https://hgodpcx.ajb8.com/prod/RTL819X/"
      },
      {
        "id": "dd7986a6-c028-4880-abc8-15ca628b7b44",
        "name": "http://hgodpcx.ajb8.com/prod/RTL819X/"
      },
      {
        "id": "fc14a2a6-56e6-4399-8eda-a636fbecd9b5",
        "name": "http://hgodpcx.ajb8.com"
      },
      {
        "id": "eca92831-ec6c-45fa-96f7-60bdba724e7b",
        "name": "http://eixfi.ajb8.com"
      },
      {
        "id": "ace29bf8-9b6a-446c-bdc7-e67969a9eded",
        "name": "https://dybic.ajb8.com"
      },
      {
        "id": "11499785-f02c-468a-91cb-500a5457664e",
        "name": "http://xook.ajb8.com"
      },
      {
        "id": "4b0f33e2-5dbd-4957-bc4a-12a43721e282",
        "name": "https://sdkv1.dataexplore.cc"
      },
      {
        "id": "d3251396-4d3d-42d3-a8ba-15756292d8a3",
        "name": "https://hgodpcx.ajb8.com/prod/standard/"
      },
      {
        "id": "03d550d0-6e96-4ec7-bd58-f33c54cd1660",
        "name": "https://hgodpcx.auq8.com/t"
      },
      {
        "id": "a6727d8e-a779-46ec-9417-96c5e35b07e3",
        "name": "https://sdkv1.dataexplore.co"
      },
      {
        "id": "50e9b06e-4943-42db-a110-583d0b7bf93e",
        "name": "http://xonice.ahb8.com"
      },
      {
        "id": "2f9b9c96-bea3-4cf1-a790-6b17a75f771c",
        "name": "https://hgodpcx.ajb8.com/n"
      }
    ]
  },
  "external_refs": [
    {
      "id": "f376b960-81a9-44d8-9a3b-5f89b1ef7354",
      "standard_id": "external-reference--52582b7f-4bf7-559c-b0e5-978b6ce84e34",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a332459370e15b403bb6a4e",
      "hash": null,
      "external_id": "6a332459370e15b403bb6a4e",
      "created": "2026-06-18T20:05:03.198Z",
      "modified": "2026-06-18T20:05:03.198Z",
      "createdById": null
    },
    {
      "id": "827fa2f6-9a64-4bd0-8d3f-6d979edbdee2",
      "standard_id": "external-reference--9c80dbb8-968b-5b8e-b99f-642714859d64",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-18T20:05:03.231Z",
      "modified": "2026-06-18T20:05:03.231Z",
      "createdById": null
    }
  ]
}