Invisible Sting: Over 4000 Outdated Routers Compromised by AryStinger, Becoming Global Attack Springboards for Hackers
June 18, 2026, 8:05 p.m.
Description
AryStinger is a sophisticated botnet targeting legacy routers based on RTL819X chipsets and NAS devices through vulnerabilities disclosed over a decade ago, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The malware exists in two versions: a C-based RTL819X variant for resource-constrained routers and a Go-based Standard version for NAS devices. Both communicate with command-and-control servers using Protobuf-encoded, XOR-encrypted traffic. Infected devices function as Executors in a distributed infrastructure, performing reconnaissance activities including port scanning, subdomain enumeration, and service identification. The botnet supports traffic tunneling, remote access via Dropbear or gs-netcat, and can execute payloads in Go, Java, and Python. Over 4,300 routers globally have been confirmed infected, predominantly D-Link models, with concentrations in South Korea, China, and Sweden. The infrastructure serves as both a concealment layer and attack platform for cyber espionage and intrusio...
Tags
Date
- Created: June 17, 2026, 10:48 p.m.
- Published: June 17, 2026, 10:48 p.m.
- Modified: June 18, 2026, 8:05 p.m.
Indicators
- http://hgodpcx.ajb8.com
- https://hgodpcx.ajb8.com/prod/RTL819X/
- http://xook.ajb8.com
- https://hgodpcx.ajb8.com/prod/standard/
- http://opi7.com
- https://hgodpcx.ajb8.com/n
- https://sdkv1.dataexplore.co
- https://dybic.ajb8.com
- http://eixfi.ajb8.com
- https://hgodpcx.auq8.com/t
- http://hgodpcx.ajb8.com/prod/RTL819X/
- https://sdkv1.dataexplore.cc
- http://xonice.ahb8.com
Additional Informations
- dybic.ajb8.com
- hgodpcx.auq8.com
- hgodpcx.ajb8.com
- io.ary2.com
- xook.ajb8.com
- opi7.com
- eixfi.ajb8.com
- sdkv1.dataexplore.co
- xonice.ahb8.com
- sdkv1.dataexplore.cc