The malware, named AryStinger by threat researchers, has been observed targeting routers built around RTL819X-series chipsets, a generation widely used in consumer and small-office networking equipment from roughly 2012 to 2015. The affected devices are led by D-Link DIR-850L and DIR-818LW models, both of which have passed their service life and no longer receive firmware fixes.
The campaign marks a shift from the more familiar use of infected routers for crude distributed denial-of-service attacks. AryStinger appears designed as reconnaissance infrastructure, allowing operators to split large scanning jobs across thousands of compromised devices. Each infected router can act as an “executor”, probing domains, testing services, forwarding traffic and helping attackers disguise their true location before deeper intrusions are attempted.
The known infection count covers RTL819X-class routers only. A second version of the malware, written in Go and aimed at network-attached storage devices, has also been identified, but its scale remains unclear. That leaves open the possibility that the real footprint of the operation is larger than the router count now visible through exposed backdoor behaviour.
DIR-850L devices account for the largest share of identified infections, followed by DIR-818LW units. Other affected models include DIR-816L, DIR-818L, DWR-118 and DIR-817LW. Geographically, the detected router infections are concentrated in South Korea and China, with smaller clusters in Sweden, Malaysia and Singapore. The distribution reflects where unsupported devices remain online rather than where the operators are based.
AryStinger gains persistence by deploying Dropbear, a lightweight SSH server, on compromised routers. It then opens access through firewall changes, allowing the attacker to maintain remote login capability. The malware communicates with command-and-control servers using HTTP or HTTPS, with traffic encoded through Protobuf and protected by simple XOR encryption. Once enrolled, each device receives an identifier and waits for tasks.
Those tasks can include IP scanning, DNS scanning, HTTP availability checks, tunnel forwarding, command execution and payload delivery. The Go-based version is broader, adding tools used for service discovery, subdomain enumeration and web probing. The router-focused version is leaner, reflecting the limited processing power of older embedded hardware.
The malware has been seen exploiting long-known vulnerabilities, including CVE-2013-3307 and CVE-2016-5681, as well as CVE-2025-11837 in the NAS-focused variant. The reliance on old flaws highlights the enduring risk posed by abandoned hardware that remains connected long after official support ends. Some of the targeted products have been outside normal firmware maintenance for years.
D-Link’s lifecycle notices for many of the affected DIR-series devices state that end-of-life and end-of-service products no longer receive technical support, firmware updates or security remediation. Users are advised to retire and replace them, rather than expect patches for newly disclosed exploitation paths. That position leaves households and small businesses exposed if they continue using older units at the edge of their networks.
The threat is not limited to the owner of the infected router. A compromised device can become a staging point for attacks against third parties, making traffic appear to originate from a residential or small-office connection. It can also be used to inspect local network activity, alter DNS settings, redirect users to phishing or malware sites, and support lateral movement against other devices behind the same gateway.
The campaign also shows why attackers value routers as durable footholds. They are always on, often poorly monitored and rarely replaced unless they fail. Many users never log into router administration panels after installation, leaving default settings, exposed services and old firmware in place for years. Security tools installed on computers and phones may not detect malicious code running on the gateway itself.
AryStinger’s hardcoded communication key contains a “2024” string, but there is no confirmed evidence that the campaign began that year. What is clearer is that the operators have maintained and updated multiple malware builds, including dozens of router samples and more than 20 Go-based variants observed since April.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
