AryStinger legacy-router reconnaissance and proxy network
Malware Activity
Summary
Hide ▲
Show ▼
The AryStinger malware family is building a distributed reconnaissance and proxy network from legacy routers and NAS appliances, expanding a covert relay layer that helps operators scan and hide their origin. It now affects at least 4,300 infected routers and the pool is still growing. The activity matters because infected devices can fingerprint services, enumerate subdomains, tunnel traffic, and run attacker commands on demand. A second strain extends the operation to QNAP NAS boxes through CVE-2025-11837.
Related Happenings
AryStinger legacy-router and QNAP NAS reconnaissance campaign
Campaign
H score72
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
How related:
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in.
About this happening:
The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
CampaignHow related: A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in.
About this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
The **Popa** botnet has forced **millions of consumer TV boxes** to relay Internet traffic linked to **advertising fraud**, **account takeovers**, and **mass data-scraping efforts...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: The **Popa** botnet has forced **millions of consumer TV boxes** to relay Internet traffic linked to **advertising fraud**, **account takeovers**, and **mass data-scraping efforts...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
SystemBC long-running global proxy malware operation
Malware Activity
H score40
First: 04.02.2026 18:15
Last: 04.02.2026 18:15
Sources 1
About this happening:
**SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
SystemBC long-running global proxy malware operation
Malware ActivityAbout this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
Timeline
-
22.06.2026 09:57 1 articles · 2h ago
AryStinger spreads from 107.150.106.14 to Realtek RTL819X routers
Detection Ioc UpdateQiAnXin XLab observed AryStinger spreading from a single source IP, 107.150.106.14, to legacy routers built on Realtek RTL819X chips. The Linux ELF payload exploited CVE-2013-3307 on Linksys models and CVE-2016-5681 on D-Link models to turn the devices into reconnaissance nodes and traffic relays.
Show sources
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57
-
22.06.2026 09:57 1 articles · 2h ago
AryStinger adds a QNAP NAS strain through CVE-2025-11837
Campaign Scope UpdateAryStinger expanded beyond routers on April 26 with a second strain aimed at QNAP NAS boxes. The strain used CVE-2025-11837, a code injection flaw in QNAP's Malware Remover, extending the campaign to NAS appliances.
Show sources
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57
-
22.06.2026 09:57 2 articles · 2h ago
QiAnXin XLab discloses AryStinger's router reconnaissance network
Initial DisclosureQiAnXin XLab disclosed AryStinger as a new malware family that turns forgotten home routers into a distributed reconnaissance and proxy network. XLab said it had seen at least 4,300 infected routers and that the total was still rising; the pool was mostly D-Link, with the DIR-850L making up about 75 percent, and XLab also noted a separate QNAP NAS strain.
Show sources
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57
- AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network — thehackernews.com — 22.06.2026 09:57