AryStinger legacy-router and QNAP NAS reconnaissance campaign
Campaign
Summary
Hide ▲
Show ▼
The AryStinger campaign is turning legacy routers and QNAP NAS boxes into a distributed reconnaissance and proxy network, creating a stealth relay layer for intrusion staging. It has reached at least 4,300 infected routers and is still growing. The operation abuses CVE-2013-3307, CVE-2016-5681, and later CVE-2025-11837 to spread across Linksys, D-Link, and QNAP devices.
Related Happenings
AryStinger legacy-router reconnaissance and proxy network
Malware Activity
H score61
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
How related:
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in.
About this happening:
The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger legacy-router reconnaissance and proxy network
Malware ActivityHow related: A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in.
About this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
The **Vo1d** campaign continues to target **unofficial Android-based TV boxes**, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: The **Vo1d** campaign continues to target **unofficial Android-based TV boxes**, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Forest Blizzard DNS hijacking token-theft campaign against older routers
Campaign
H score35
First: 07.04.2026 20:02
Last: 07.04.2026 20:02
Sources 1
About this happening:
Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
Forest Blizzard DNS hijacking token-theft campaign against older routers
CampaignAbout this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
Timeline
-
22.06.2026 09:57 1 articles · 2h ago
AryStinger spreads through legacy routers with CVE-2013-3307 and CVE-2016-5681
Exploitation ObservedXLab first observed AryStinger on March 12, 2026, spreading from 107.150.106.14 as a Linux ELF payload against Realtek RTL819X routers, exploiting CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones. The infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand.
Show sources
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57
-
22.06.2026 09:57 1 articles · 2h ago
AryStinger targets QNAP NAS boxes through CVE-2025-11837
Campaign Scope UpdateA second AryStinger strain appeared on April 26, 2026, aimed at QNAP NAS boxes through CVE-2025-11837 in QNAP's Malware Remover. The Go-based build scans internal and external networks, runs fscan, ksubdomain, and httpx, and can execute attacker-supplied Go, Java, or Python source code through ScriptWork.
Show sources
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57
-
22.06.2026 09:57 2 articles · 2h ago
QiAnXin XLab identifies AryStinger as a 4,300-router reconnaissance proxy network
Initial DisclosureQiAnXin XLab says AryStinger turns forgotten home routers into a distributed reconnaissance and proxy network and had counted at least 4,300 infected routers, still rising. The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent, and the observed routers were concentrated in South Korea and China.
Show sources
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57