SURIQ
Most botnets are loud. They flood a target with junk traffic or burn a victim's electricity mining cryptocurrency, and the noise is the whole point. AryStinger, a botnet documented this month by the XLab team at Chinese security firm Qianxin, does the opposite. It has quietly taken over more than 4,300 end-of-life home and small-office routers and turned them into a distributed reconnaissance grid: a fleet of machines that scan, fingerprint, and tunnel on an attacker's behalf. There is no flood to notice. That silence is the design, and it is why this class of botnet is the one your monitoring was never built to catch.
What AryStinger actually does
XLab first detected the campaign spreading on March 12, 2026 and published its full analysis on June 17. The malware infects routers built on the Realtek RTL819X chip family, mainstream gear from roughly 2012 to 2015, by exploiting two bugs that are a decade old: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link models. One model, the D-Link DIR-850L, accounts for about 75 percent of infections, with the DIR-818LW making up another 13 percent. BleepingComputer reported the infected fleet at over 4,000 devices, concentrated in South Korea (48 percent), China (32 percent), and a long tail across Sweden, Malaysia, and Singapore.
Once on a device, AryStinger is built for legwork, not destruction. XLab found it runs internal and external network scanning with off-the-shelf offensive tools (fscan, ksubdomain, httpx, and tlsx), splits large scan jobs into chunks and farms them out across infected nodes for parallel execution, brute-forces DNS to enumerate subdomains, opens proxy and traffic-forwarding tunnels, and installs a dropbear SSH server on port 2332 plus gs-netcat for a backup remote-access channel. A second variant, written in Go for x86-64 network-attached storage devices and using a newer bug (CVE-2025-11837), adds the ability to run attacker-supplied Shell, Go, Java, and Python code. Command traffic is serialized with protobuf and XOR-encrypted under a hardcoded key whose embedded string 2024 hints the operation has been running far longer than its June disclosure suggests.
Why a botnet that scans is worse than one that floods
A denial-of-service or mining botnet announces itself. Traffic spikes, processors peg, customers complain, and somebody opens a ticket. A reconnaissance botnet generates none of that. Its job is to map, fingerprint, and stage, then hand a clean target list to a human operator. The three points below are ours, not the source reporting's, and they explain why this matters more than the raw device count.
First, the distribution defeats your reconnaissance detection. Most perimeter scanning alerts assume the scan comes from one or a handful of noisy hosts: rate limits trip, a single source address earns a bad reputation, the firewall blocks it. AryStinger splits one scan across thousands of residential addresses in dozens of countries, each sending a trickle. Spread that thin, the activity slides under volume thresholds and never lands on a reputation blocklist. Your alarms stay quiet because the scan was engineered to keep them quiet.
Second, end-of-life gear lives in your blind spot, and attackers know it. These routers predate any endpoint agent, rarely appear in an asset inventory, and carry the one label that makes defenders stop thinking about them: unpatchable. That label gets treated as a dead end. For an attacker it is the opposite, a property that guarantees the foothold will still be there next quarter. Unpatchability is not a weakness of this campaign. It is the feature that makes the infrastructure durable.
Third, quiet botnets evade the telemetry that catches loud ones. The detections that reliably catch botnets key on noise: outbound flood volume, mining-pool connections, processor anomalies. A reconnaissance cluster trips none of them, which means this category is almost certainly undercounted across the internet. The 2024 buried in AryStinger's encryption key, set against a March 2026 first detection, is a hint at how long a silent botnet can run before anyone writes it up.
Why your patch process cannot fix this
There is no firmware update coming for a D-Link DIR-850L. The model is years past end of support, and the bugs being used were assigned identifiers in 2013 and 2016. This is the same dynamic we covered when INC ransomware built its whole campaign on unpatched edge devices: the problem was never a missing patch, it was gear nobody owned operationally. AryStinger extends the pattern from enterprise appliances down to the consumer router in the branch office and the work-from-home setup. Patching is not the control here. Asset lifecycle and egress monitoring are.
What to do this week
Treat any RTL819X-era D-Link or Linksys router as a liability, not a sunk cost. Concretely:
-
Find and retire the gear. Inventory edge and consumer routers across offices and remote workers. The DIR-850L, DIR-818LW, DIR-816L, DIR-818L, DIR-817LW, and DWR-118 are named in XLab's analysis, and anything on a 2012 to 2015 Realtek chipset is in scope. Replace it, do not nurse it.
-
Close the easy doors on whatever stays. Disable remote management on the internet-facing side, change default credentials, and put management interfaces behind a VPN. None of this fixes the underlying bugs, but it removes the trivial paths in.
-
Watch the wire, not the box. You cannot inspect an opaque router, but you can see what it says. Alert on an edge device opening outbound SSH (the
dropbearlistener uses port 2332), unexpected DNS configuration changes,gs-netcat-style tunnels, or scan-pattern egress such as many short connections to sequential ports or hosts. A consumer router should never start that traffic, and when one does, treat it as an incident, not noise.
The deeper lesson outlasts this botnet. The same residential-proxy economy that turns hacked TV boxes into trusted home addresses is now consuming retired networking gear as reconnaissance infrastructure. Every device you stop tracking does not disappear. It just stops being yours.