Share This:

Cybersecurity Threat AdvisoryAryStinger is a newly discovered malware family that takes over outdated home and small office (SOHO) routers. Researchers at QiAnXin XLab have identified at least 4,300 infected legacy Realtek-based routers. Read the Cybersecurity Threat Advisory to mitigate your clients’ risk now.

What is the threat?

AryStinger is malware that compromises outdated, internet-connected routers and certain QNAP NAS devices. It quietly turns them into tools for attackers. Instead of encrypting data or causing obvious damage, AryStinger uses compromised devices to scan the internet and map networks and services. It also relays attacker traffic so it appears to originate from legitimate home or small-office equipment.

On legacy routers, a lightweight program primarily performs large-scale DNS and network scanning. On QNAP NAS devices, a more advanced version can run built-in scanning tools. It can also execute attacker-supplied scripts written in Go, Java, or Python.

All infected devices connect to a command-and-control (C2) server over the internet. Attackers use the server to assign tasks and collect the results. These tasks may include scanning IP ranges or probing domains. A hidden SSH-style backdoor maintains persistent access. This allows attackers to reuse compromised routers and NAS devices as reconnaissance and proxy nodes for future operations.

Why is it noteworthy?

AryStinger is significant because it behaves differently from most router malware. Instead of launching disruptive attacks or DDoS campaigns, it quietly transforms outdated routers and NAS devices into stealth reconnaissance and traffic-relay tools. Your systems may be scanned or probed by what appears to be a normal home router. This makes the real attacker more difficult to identify and block.

AryStinger also exploits vulnerabilities that were patched years ago. However, many organizations never updated or replaced affected devices. As a result, the malware can spread through forgotten hardware that remains online.

The threat demonstrates how attackers can build a large reconnaissance and proxy network from inexpensive legacy devices. Many of these systems still sit on the edge of modern networks.

What is the exposure or risk?

AryStinger presents risk in two primary ways.

First, organizations that are not directly infected may still have their internet-facing systems scanned and mapped by attackers using the AryStinger network. This reconnaissance can reveal open ports, vulnerable services, and forgotten assets. Attackers may later use this information to gain access. Since the scans originate from seemingly legitimate routers, they can blend in with normal internet traffic.

Second, organizations that continue to use outdated or unpatched routers and QNAP NAS devices may unknowingly become part of the AryStinger network. In that case, compromised equipment could become a persistent foothold for attackers. It could also serve as a relay point for malicious traffic. This makes it easier for attackers to conceal their activity and observe internal networks.

An organization’s public IP addresses may also become associated with malicious activity, including scanning and abuse. This can lead to reputation damage or blocking by partners and service providers. In short, exposed legacy edge devices create multiple risks. They increase the likelihood of becoming a target and may unknowingly support attacks against others.

What are the recommendations?

Barracuda strongly recommends organizations take the following steps to reduce their risk:

    • Identify and replace legacy edge devices: Inventory all routers, gateways, and NAS appliances, and retire end-of-life or unpatched models, particularly older Realtek-based D-Link, Linksys, and QNAP devices.
    • Keep supported devices fully patched: Ensure all remaining routers and NAS devices are running the latest firmware and security updates, including QNAP’s Malware Remover patches related to CVE-2025-11837.
    • Disable unnecessary remote access: Turn off remote administration wherever possible. If remote access is required, restrict it through VPN access and trusted IP allowlists.
    • Segment and monitor network appliances: Place routers and NAS devices in dedicated network segments and monitor outbound traffic for communications with suspicious domains, IP addresses, or known AryStinger indicators (such as ajb8[.]com).
    • Hunt for signs of compromise: On potentially affected devices, look for unknown binaries in /tmp/bin, processes named syswapd0h or syswapd0w, unexpected SSH services such as Dropbear running on port 2332, or GS Netcat listeners on NAS devices.
    • Strengthen overall security hygiene: Include routers and NAS devices in asset management, vulnerability management, and patch management programs. Enforce strong credentials on all management interfaces and regularly review externally exposed services.

Barracuda recommends implementing these controls alongside continuous monitoring and rapid response services to help detect, contain, and remediate AryStinger-related activity.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.


Share This:
Sana Ansari

Posted by Sana Ansari

Sana is a cybersecurity analyst at Barracuda. She's a security expert, working on our Blue Team within our security operations center. Sana supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.