More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers
June 17, 2026, 8:24 p.m.
Description
Security researchers discovered AryStinger, a botnet targeting legacy routers and NAS devices to build reconnaissance and attack infrastructure. The malware exploits vulnerabilities from 2013-2025 to compromise over 4,300 devices globally, primarily D-Link routers using RTL819X chips. AryStinger communicates via HTTP/HTTPS using Protobuf encoding and XOR encryption, supporting tasks including network scanning, traffic proxying, command execution, and persistent backdoor deployment through dropbear or gs-netcat. Two versions exist: RTL819X in C for routers, and Standard in Go for NAS devices with expanded capabilities including integration of fscan, ksubdomain, and httpx tools. Infected devices serve as distributed scanning nodes and attack proxies, effectively hiding attacker identities while conducting footprinting activities. The campaign shows extremely low detection rates in mainstream security engines, with evidence suggesting operations possibly began in 2024.
Tags
Date
- Created: June 17, 2026, 6:13 p.m.
- Published: June 17, 2026, 6:13 p.m.
- Modified: June 17, 2026, 8:24 p.m.
Indicators
- http://hgodpcx.ajb8.com
- https://hgodpcx.ajb8.com/prod/RTL819X/
- http://xook.ajb8.com
- https://hgodpcx.ajb8.com/prod/standard/
- http://opi7.com
- https://hgodpcx.ajb8.com/n
- https://sdkv1.dataexplore.co
- https://dybic.ajb8.com
- http://eixfi.ajb8.com
- https://hgodpcx.auq8.com/t
- http://hgodpcx.ajb8.com/prod/RTL819X/
- https://sdkv1.dataexplore.cc
- http://xonice.ahb8.com
Additional Informations
- dybic.ajb8.com
- hgodpcx.auq8.com
- hgodpcx.ajb8.com
- io.ary2.com
- xook.ajb8.com
- opi7.com
- eixfi.ajb8.com
- sdkv1.dataexplore.co
- xonice.ahb8.com
- sdkv1.dataexplore.cc