New AryStinger Malware Campaign Targets Legacy Routers and NAS Devices Globally
AI-generated from multiple sources. Verify before acting on this reporting.
SEOUL — Researchers from QiAnXin's XLab have identified a new malware family dubbed "AryStinger" that has infected at least 4,300 legacy routers and QNAP network-attached storage (NAS) devices worldwide. The campaign appears designed to build a distributed reconnaissance proxy network for attackers.
The infection activity was detected on June 22, 2026. Analysis of the compromised infrastructure indicates that South Korea accounts for nearly half of all affected systems at 48 percent, followed by China with 32 percent. Additional infections have been confirmed in Sweden, Malaysia, and Singapore.
AryStinger targets specific vulnerabilities in older networking hardware to establish persistent access on infected devices. Once installed, the malware transforms these routers and storage units into nodes within a larger proxy network. This infrastructure allows threat actors to route traffic through compromised systems, masking their true location while conducting surveillance or preparing for further attacks.
The campaign specifically exploits known weaknesses in legacy router firmware that have not received security updates since 2019. QNAP NAS devices were targeted using similar techniques involving unpatched remote administration protocols. Security experts note that the geographic distribution suggests a coordinated effort rather than random opportunistic scanning, though no single threat actor has claimed responsibility.
The malware's primary function involves establishing command-and-control channels between infected nodes and external servers located in neutral jurisdictions. This architecture enables attackers to conduct reconnaissance operations without exposing their own infrastructure to detection by security teams or law enforcement agencies monitoring known malicious IP addresses.
QiAnXin researchers stated that the scale of infection indicates a long-term operation rather than an isolated incident. The distributed nature of the proxy network complicates mitigation efforts, as removing malware from individual devices does not dismantle the overall system controlling them.
Network administrators in affected regions are advised to update firmware on all legacy equipment and disable remote administration features where possible. However, many older router models no longer receive security patches from manufacturers, leaving users vulnerable even after applying available updates.
The purpose behind building this specific proxy network remains unclear. While the infrastructure supports reconnaissance activities typical of advanced persistent threats, analysts have not yet identified any data exfiltration or direct attacks originating from the compromised devices beyond initial infection phases.
Further investigation continues as security teams work to trace the origin of the campaign and identify potential targets for future operations using this newly established network.