2026-06-17 More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers

📃Title: More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers
📅Date: 2026-06-17
🔗References:

• https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/

Description

Security researchers discovered AryStinger, a botnet targeting legacy routers and NAS devices to build reconnaissance and attack infrastructure. The malware exploits vulnerabilities from 2013-2025 to compromise over 4,300 devices globally, primarily D-Link routers using RTL819X chips. AryStinger communicates via HTTP/HTTPS using Protobuf encoding and XOR encryption, supporting tasks including network scanning, traffic proxying, command execution, and persistent backdoor deployment through dropbear or gs-netcat. Two versions exist: RTL819X in C for routers, and Standard in Go for NAS devices with expanded capabilities including integration of fscan, ksubdomain, and httpx tools. Infected devices serve as distributed scanning nodes and attack proxies, effectively hiding attacker identities while conducting footprinting activities. The campaign shows extremely low detection rates in mainstream security engines, with evidence suggesting operations possibly began in 2024.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• target-information=“China”
• target-information=“Malaysia”
• target-information=“Singapore”
• target-information=“South Korea”
• target-information=“Sweden”
• operating-system=“Linux”
• mitre-attack-pattern=[‘T1543’, ‘T1082’, ‘T1071’, ‘T1190’, ‘T1021’, ‘T1016’, ‘T1087’, ‘T1090’, ‘T1059’, ‘T1083’, ‘T1049’, ‘T1057’, ‘T1027’, ‘T1573’, ‘T1095’, ‘T1505’, ‘T1071.001’, ‘T1136’, ‘T1018’, ‘T1046’]

MISP event uuid: 65db42c9-e25b-479e-95cf-d21fd34c73ae

Indicator of Compromise (IoCs)

type,value,comment
md5, a97e552f5e655e1cfa56853f65beeb0e, ''
md5, abae20b26b70b526bebb5e2617092ede, ''
md5, 05627d1bddb7292bb45139244f46051f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 0627f034c42549e2130734b5f8dbf854, 'No sample in VT\r\nLast check:25/06/2026'
md5, 0a2d2a4ec1ca2aa6a23a35abb5a75451, 'No sample in VT\r\nLast check:25/06/2026'
md5, 0ffb4b4e430f4b69216fb9d2e082e482, 'No sample in VT\r\nLast check:25/06/2026'
md5, 10ba24db187836efe77ed7e75d279d33, 'No sample in VT\r\nLast check:25/06/2026'
md5, 16fed5909de4f50351fc33fbfcf156df, 'No sample in VT\r\nLast check:25/06/2026'
md5, 18f894a3168ee0b809eed321a2e748b4, 'No sample in VT\r\nLast check:25/06/2026'
md5, 19232d0eff3ef7aee3b5d7620c72358c, 'No sample in VT\r\nLast check:25/06/2026'
md5, 36ff9f683e870145aaf5a715bc934762, 'No sample in VT\r\nLast check:25/06/2026'
md5, 44805c4b36bd3d97ba8ecaf6fe103572, 'No sample in VT\r\nLast check:25/06/2026'
md5, 4c80d17fa5db5b1c2aaddb5351e9cb6b, 'No sample in VT\r\nLast check:25/06/2026'
md5, 5d9cdb072415b191df3f444f53b2ff4b, 'No sample in VT\r\nLast check:25/06/2026'
md5, 6869f24aecd75e2144aba8dc03dc2d0f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 6f761f63642cd6329a29cfad80be50c3, 'No sample in VT\r\nLast check:25/06/2026'
md5, 6f91d1f8f0cbaab137351936b52f7a94, 'No sample in VT\r\nLast check:25/06/2026'
md5, 7461445fca3f9d8911148e0908d33c3b, 'No sample in VT\r\nLast check:25/06/2026'
md5, 7b361a6d0d42309d09ec9000b53712b3, 'No sample in VT\r\nLast check:25/06/2026'
md5, 7f2b2e3516fa454adfd51f857ae80adf, 'No sample in VT\r\nLast check:25/06/2026'
md5, 8cc249b16adf7e4a658af7fa31d7998e, 'No sample in VT\r\nLast check:25/06/2026'
md5, 8deb2a60d42de0f8f8786e485d2f046f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 8edb3ea62a7e643ba1a88d20799cf94f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 9221423d7daff9e64f7e2af54f911fea, 'No sample in VT\r\nLast check:25/06/2026'
md5, 9660895fa3fcabbef466703636f6d51d, 'No sample in VT\r\nLast check:25/06/2026'
md5, 98e55d712a99d2cd45e8592c6dda5110, 'No sample in VT\r\nLast check:25/06/2026'
md5, 9973676bfa9fe89aa5c76e3cd0b21ae8, 'No sample in VT\r\nLast check:25/06/2026'
md5, a2d54fcd0c2816f607a5962523fc648c, 'No sample in VT\r\nLast check:25/06/2026'
md5, a3181550e0e0a6153a44b7a0495535b0, 'No sample in VT\r\nLast check:25/06/2026'
md5, a3e3197e2344c51e95c063541ea22205, 'No sample in VT\r\nLast check:25/06/2026'
md5, a5101caf0a1789d6a4bc30e644d6b152, 'No sample in VT\r\nLast check:25/06/2026'
md5, b0f4f813a9de094c06821366e2459aee, 'No sample in VT\r\nLast check:25/06/2026'
md5, b104a05e8a2e218adfb7654ba8bf3d49, 'No sample in VT\r\nLast check:25/06/2026'
md5, b9406e969cdfdaef433e93d0b9ad1f5d, 'No sample in VT\r\nLast check:25/06/2026'
md5, c113739225ece5f6e4805466dec1401d, 'No sample in VT\r\nLast check:25/06/2026'
md5, d2fd89ebdad493ec9ac76ce35213cec4, 'No sample in VT\r\nLast check:25/06/2026'
md5, d79270ba44e665ebb0383eb77a52e38b, 'No sample in VT\r\nLast check:25/06/2026'
md5, d997efa98afab2c003654b8d5ce2bedf, 'No sample in VT\r\nLast check:25/06/2026'
md5, dbcc5a3e6afe41060d6357e24dc03fd3, 'No sample in VT\r\nLast check:25/06/2026'
md5, dbdd4d8e4aef3ce69cf65ed470425c89, 'No sample in VT\r\nLast check:25/06/2026'
md5, dc35086ba0f5f83545c32a023a1f3be4, 'No sample in VT\r\nLast check:25/06/2026'
md5, dc71c10ca0b2c83b6b3a6a062fca314f, 'No sample in VT\r\nLast check:25/06/2026'
md5, dd1e5a3cd9f842bd70be45a62c3ebbf6, 'No sample in VT\r\nLast check:25/06/2026'
md5, df0c9f6289e56f31c0700f40590857d3, 'No sample in VT\r\nLast check:25/06/2026'
md5, e6b27080aa1ce1901a23dd75716d9092, 'No sample in VT\r\nLast check:25/06/2026'
md5, e9916ff56074725f5739ead5091fe6c7, 'No sample in VT\r\nLast check:25/06/2026'
md5, ea2fe3b409da439aec25cf7eabf5b7a7, 'No sample in VT\r\nLast check:25/06/2026'
md5, ed9209111b995cbe78f8e097c289f127, 'No sample in VT\r\nLast check:25/06/2026'
md5, f093891e281bcd9c8016dea7d89cc671, 'No sample in VT\r\nLast check:25/06/2026'
md5, fc4cee066d8526f5806bb23278f647da, 'No sample in VT\r\nLast check:25/06/2026'
md5, fcc9de5c040307e6ac3011e8b379f6d9, 'No sample in VT\r\nLast check:25/06/2026'
md5, ff11e000f377c54dea928b09ebad9df8, 'No sample in VT\r\nLast check:25/06/2026'
md5, fffcbd0ac2cb545496890f50395181ff, 'No sample in VT\r\nLast check:25/06/2026'
url, http://eixfi.ajb8.com, ''
url, http://hgodpcx.ajb8.com, ''
url, http://hgodpcx.ajb8.com/prod/RTL819X/, ''
url, http://opi7.com, ''
url, http://xonice.ahb8.com, ''
url, http://xook.ajb8.com, ''
url, https://dybic.ajb8.com, ''
url, https://hgodpcx.ajb8.com/n, ''
url, https://hgodpcx.ajb8.com/prod/RTL819X/, ''
url, https://hgodpcx.ajb8.com/prod/standard/, ''
url, https://hgodpcx.auq8.com/t, ''
url, https://sdkv1.dataexplore.cc, ''
url, https://sdkv1.dataexplore.co, ''
domain, opi7.com, ''
hostname, dybic.ajb8.com, ''
hostname, eixfi.ajb8.com, ''
hostname, hgodpcx.ajb8.com, ''
hostname, hgodpcx.auq8.com, ''
hostname, io.ary2.com, ''
hostname, sdkv1.dataexplore.cc, ''
hostname, sdkv1.dataexplore.co, ''
hostname, xonice.ahb8.com, ''
hostname, xook.ajb8.com, ''
ip-dst, 107.150.106.14, ''
url, https://hgodpcx.ajb8.com/prod/RTL819X/{version}/manifest.json, ''
url, https://hgodpcx.ajb8.com/prod/standard/{version}/manifest.json, ''
url, http://hgodpcx.ajb8.com/prod/RTL819X/{version}/syswapd0, ''
url, https://hgodpcx.ajb8.com/prod/standard/{version}/syswapd0-linux-amd64, ''

Full IOCs available in Rectifyq’s MISP