AryStinger Malware Turns 4300 RTL819X Routers into Parallel Reconnaissance Proxies via 2013-2016 CVEs

The campaign began with a single dropper IP on 12 March 2026 pushing a lightweight C ELF binary that exploits decade-old flaws in DIR-850L devices, which comprise 75 percent of infections. A second Go-based strain targeting QNAP NAS via CVE-2025-11837 appeared in late April. Infected nodes perform chunked DNS and subdomain enumeration, tunnel traffic over HTTP/HTTPS with XOR-obfuscated Protobuf, and maintain persistence through hardcoded Dropbear SSH on port 2332 or gs-netcat. Geographic concentration in South Korea and China aligns with exposed legacy hardware pools rather than targeted selection.

Evidence shows two build variants: a minimal C router implant limited to mass scanning and relay, and a fuller NAS version embedding fscan, ksubdomain, and httpx plus on-demand ScriptWork execution of attacker Go/Java/Python. C2 domains ajb8.com and related hosts remain active; the shared key sh_#@!_2024_secret suggests operational continuity from at least 2024. No public attribution exists; technical indicators match n-day exploitation patterns seen in prior residential proxy operations.

This matches the operational relay box model tracked by Mandiant, where state or proxy actors repurpose EoL routers for pre-intrusion footprinting instead of DDoS. The May 2025 FBI takedown of 5socks/Anyproxy services demonstrated identical infrastructure value, yet AryStinger avoids overt monetization signals. The campaign highlights procurement blind spots: agencies and enterprises continue exposing unpatchable 2012-2015 hardware while vendors publish no end-of-support telemetry.

Next steps include monitoring for lateral expansion into additional QNAP and Realtek devices plus potential reuse of the same C2 infrastructure for command relay in follow-on intrusions. Operators should audit for syswapd0h processes and ajb8.com egress immediately; retirement of unsupported routers remains the only durable control.