Thousands of D-Link and QNAP NAS routers compromised by fast-moving AryStinger malware that turns unsecured devices into…

• QiAnXin XLab uncovered “AryStinger,” malware exploiting old D-Link/Linksys router flaws (CVE‑2013‑3307, CVE‑2016‑5681) to build a proxy/reconnaissance network
• So far 4,300 routers infected, mostly in South Korea (48%) and China (32%), with QNAP NAS devices also targeted via CVE‑2025‑11837
• Compromised devices enable scanning, tunneling, and covert control; researchers advise monitoring logs, binaries in /tmp/bin, and suspicious processes like syswapd0h or syswapd0w

Cybersecurity researchers QiAnXin XLab are warning about an ongoing campaign to create a distributed reconnaissance and proxy network out of people’s routers and NAS devices.

The campaign targets outdated and unsupported routers (mostly D-Link and Linksys), powered by Realtek’s RTL819X chips which were a popular choice between 2012 and 2015. The attackers are leveraging two (ancient) vulnerabilities, CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones, to infect the devices with a previously undetected piece of malware called AryStinger.

According to the researchers, AryStinger is used during the reconnaissance and...

Copyright of this story solely belongs to techradar.com. To see the full text click HERE