What is AryStinger and how did it spread?

AryStinger is a botnet that hijacked more than 4,300 routers globally by exploiting decade-old vulnerabilities CVE-2013-3307 and CVE-2016-5681. It targets router devices built on the RTL819X series chips.

When was AryStinger first discovered?

AryStinger came to light on March 12, 2026.

What is the encryption key found inside AryStinger and what does it suggest about the campaign's timeline?

The hardcoded encryption key 'sh_#@!_2024_secret' suggests that this campaign may have been active since at least 2024.

New Botnet AryStinger Hijacks Over 4,300 Routers Worldwide

Q: How does AryStinger operate once it infects a router?

Once infected, each router is registered with a command-and-control server and assigned a unique Executor ID, turning it into a managed node in the botnet. Each infected node receives a small piece of a larger scanning task, enabling fast and distributed reconnaissance across the internet.

Q: What kind of risks does AryStinger pose?

AryStinger creates a distributed reconnaissance proxy network capable of scanning internet-facing systems, tunneling traffic, fingerprinting services, and executing remote commands.

A newly discovered botnet, AryStinger, exploits decade-old vulnerabilities to hijack routers and build a covert reconnaissance infrastructure. The campaign targets RTL819X routers and NAS devices.

A newly discovered botnet called AryStinger has quietly hijacked more than 4,300 routers across the globe, turning them into a silent army of attack proxies. The threat actors behind this campaign are exploiting decade-old vulnerabilities to build a covert reconnaissance infrastructure, and what makes it particularly alarming is how well it manages to stay hidden from traditional security tools.

The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities, CVE-2013-3307 and CVE-2016-5681. These flaws affect several Linksys and D-Link router models from over ten years ago.

What Happened

The researchers from Qianxin XLab identified and documented this unusual attack campaign, noting that it targets router devices built on the RTL819X series chips, which were most widely used between 2012 and 2015. The team later captured a related sample on April 26 targeting NAS devices, spread through CVE-2025-11837.

Once AryStinger infects a router, it registers the device with a command-and-control server by sending device fingerprint data including MAC address, IP addresses, operating system version, and CPU architecture. This data is encrypted before transmission. The server then assigns each infected device a unique Executor ID, turning it into a managed node in the botnet.

Each infected node, called an Executor, receives a small piece of a larger scanning task. The attacker distributes these chunks across hundreds of devices simultaneously, enabling fast and distributed reconnaissance across the internet. This allows attackers to hide their real location while conducting reconnaissance on other networks.

Background and Context

The hardcoded encryption key found inside AryStinger reads “sh_#@!_2024_secret,” hinting that this campaign may have been active since at least 2024. The full scale of the operation remains unknown, since current infection counts only cover RTL819X routers and do not yet reflect how many NAS devices may also be compromised.

The discovery is particularly concerning because the malware creates a distributed reconnaissance proxy network capable of scanning internet-facing systems, tunneling traffic, fingerprinting services, and executing remote commands. This highlights the risks associated with outdated networking equipment that no longer receives security updates.

Why it Matters to the Industry

The campaign demonstrates how obsolete networking equipment can continue to pose significant cybersecurity risks long after vendor support has ended. The malware's capabilities enable attackers to hide their origin while collecting valuable information about potential targets, making it a critical risk for any organization relying on outdated infrastructure.

For adult-industry platforms and operators, this means that legacy routers and NAS devices may be vulnerable to exploitation, potentially leading to data breaches or other security incidents. It is essential for these organizations to prioritize updating their networking equipment and implementing robust security measures to prevent such attacks.

What Comes Next

The researchers have not publicly disclosed the exact start date of the campaign, but investigations indicate that the operation has been active long enough to compromise thousands of devices. It is crucial for organizations to review their network infrastructure and take immediate action to address any potential vulnerabilities.

Key Facts

AryStinger botnet has infected over 4,300 routers worldwide.
The malware targets outdated D-Link and Linksys networking devices exploiting known vulnerabilities.
The campaign is designed for reconnaissance, intelligence gathering, and proxy operations.
The hardcoded encryption key found inside AryStinger reads “sh_#@!_2024_secret”.
Researchers have identified exploitation attempts targeting CVE-2013-3307 and CVE-2016-5681 vulnerabilities.

In conclusion, the discovery of AryStinger botnet highlights the critical risks associated with outdated networking equipment. It is essential for organizations to prioritize updating their infrastructure and implementing robust security measures to prevent such attacks. The industry must remain vigilant and take immediate action to address any potential vulnerabilities.