More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers
Essential information
- Published
- 17/06/2026 20:13
- Modified
- 17/06/2026 20:24
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- arystinger botnet cve-2013-3307 cve-2016-5681 cve-2025-11837 d-link distributed scanning dropbear backdoor legacy routers reconnaissance infrastructure rtl819x
- Tags
- 2026-06-17 CVE-2013-3307 CVE-2016-5681 CVE-2025-11837 arystinger botnet d-link distributed scanning dropbear backdoor legacy routers reconnaissance infrastructure rtl819x
- Related entities
- 3 vulnerabilities (cve), 23 indicators, 23 observables, 20 techniques (mitre), 1 malware, 10 others
Description
Security researchers discovered AryStinger, a botnet targeting legacy routers and NAS devices to build reconnaissance and attack infrastructure. The malware exploits vulnerabilities from 2013-2025 to compromise over 4,300 devices globally, primarily D-Link routers using RTL819X chips. AryStinger communicates via HTTP/HTTPS using Protobuf encoding and XOR encryption, supporting tasks including network scanning, traffic proxying, command execution, and persistent backdoor deployment through dropbear or gs-netcat. Two versions exist: RTL819X in C for routers, and Standard in Go for NAS devices with expanded capabilities including integration of fscan, ksubdomain, and httpx tools. Infected devices serve as distributed scanning nodes and attack proxies, effectively hiding attacker identities while conducting footprinting activities. The campaign shows extremely low detection rates in mainstream security engines, with evidence suggesting operations possibly began in 2024.