• Thousands of D-Link and QNAP NAS routers compromised by fast-movi

    From TechnologyDaily@1337:1/100 to All on Mon Jun 22 13:30:40 2026
    Thousands of D-Link and QNAP NAS routers compromised by fast-moving
    AryStinger malware that turns unsecured devices into a malicious proxy botnet

    Date:
    Mon, 22 Jun 2026 12:15:00 +0000

    Description:
    More than 4,000 routers have been compromised so far, while the number of poisoned NAS devices remains unknown.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter QiAnXin XLab uncovered AryStinger, malware exploiting old D-Link/Linksys router flaws (CVE20133307, CVE20165681) to build a proxy/reconnaissance network So far 4,300 routers infected, mostly in South Korea (48%) and China (32%), with QNAP NAS devices also targeted via CVE202511837 Compromised devices enable scanning,
    tunneling, and covert control; researchers advise monitoring logs, binaries
    in /tmp/bin, and suspicious processes like syswapd0h or syswapd0w Cybersecurity researchers QiAnXin XLab are warning about an ongoing campaign to create a distributed reconnaissance and proxy network out of peoples routers and NAS devices.

    The campaign targets outdated and unsupported routers (mostly D-Link and Linksys), powered by Realteks RTL819X chips which were a popular choice between 2012 and 2015. The attackers are leveraging two (ancient) vulnerabilities, CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones, to infect the devices with a previously undetected piece of malware called AryStinger. According to the researchers, AryStinger is used during
    the reconnaissance and planning stages of a more serious cyberattack. Devices infected with this malware can scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, all while hiding the location (and true identity) of the attackers. Latest Videos From Watch full video here: Targeting NAS devices Once compromised by malware like AryStinger that possesses reconnaissance and covert control capabilities, it is equivalent to a hacker placing a permanent "invisible listening device"
    and "attack springboard" within your network, the researchers said.

    QiAnXins XLab says that So far, AryStinger infected 4,300 routers, but stresses that this is not the final number and with the campaign ongoing,
    will rise even more. You may like The FBI just remotely reset thousands of home and small office routers Russian hackers hitting TP-Link home routers to hijack internet traffic China-nexus cyber actors' are turning routers and IoT infrastructure into covert botnets 'at scale' NCSC, Five Eyes, and others warn of campaign involving Typhoon-designated groups

    The majority of the victims are located in South Korea (48%) and China (32%), with notable mentions being Sweden, Malaysia, and Singapore.

    AryStinger also targets QNAPs NAS devices , leveraging a code injection flaw in the devices Malware Remover. This flaw, tracked as CVE-2025-11837, was first discovered during last years Pwn2Own event, and was patched in November 2025. The researchers dont know how many of these devices are currently infected, and say the 4,300 figure only relates to routers. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
    all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    The researchers did not attribute this attack to any particular threat actor.

    To defend against AryStinger, the researchers recommend monitoring the logs for any outbound connections to the C2 and download domains (found here ), checking /tmp/bin for unrecognized binaries, and looking for processes named syswapd0h or syswapd0w.

    Via The Hacker News The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/thousands-of-d-link-and-qnap-nas-router s-compromised-by-fast-moving-arystinger-malware-that-turns-unsecured-devices-i nto-a-malicious-proxy-botnet


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)