AryStinger Malware Turns 4,300 Routers into Proxy Network

Michael Miller · 2026-06-22

A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network. Unlike the typical DDoS botnet these devices usually end up in, this one's built for stealth. QiAnXin's XLab calls it AryStinger and has counted at least 4,300 infected routers so far. That number is still climbing. ### What Makes AryStinger Different? The distinction matters. Most router malware aims to flood servers with traffic or mine cryptocurrency. AryStinger doesn't do that. It exists for the stage of an attack that comes before the break-in. Think of it as a scout, not a soldier. It turns your old router into a node that helps attackers map networks, test credentials, and find weak spots without raising alarms. Infected routers become part of a proxy network. Attackers route their traffic through these devices to hide their real location. This makes it harder for security teams to trace the source of an attack. It's like using someone else's car to case a neighborhood.  ### How Does the Infection Happen? AryStinger targets legacy routers that haven't been updated in years. These devices often have default passwords or unpatched vulnerabilities. The malware spreads by scanning for these weak points and automatically installing itself. Once inside, it connects to a command-and-control server to get instructions. The infected router then waits for commands. It can forward traffic, proxy connections, or scan other devices on the network. Because the router is often forgotten in a closet or basement, users rarely notice anything wrong. The device might run a bit slower, but most people blame their internet provider.  ### Who's at Risk? Anyone with an old router sitting in a drawer or still in use is at risk. The malware specifically targets models that are no longer supported by their manufacturers. These devices can't receive security updates, so they remain vulnerable forever. Here's what you can do to protect yourself: - Check your router's model and see if it still gets firmware updates - Change the default admin password to something strong - Disable remote management if you don't need it - Consider replacing any router older than five years ### The Bigger Picture This isn't just about a few thousand routers. It's a shift in how attackers operate. Instead of building their own infrastructure, they're borrowing yours. Every forgotten device becomes a potential foothold. For businesses, this means your employees' home networks could be a backdoor into your corporate systems. The proxy network AryStinger creates is also hard to dismantle. Each infected router is a separate point of entry. Taking down one doesn't stop the others. Security teams have to identify and clean thousands of devices spread across different countries and internet service providers. ### What You Should Do Now If you're managing a network, start by auditing all connected devices. Look for routers that haven't been updated in months. Check for unknown devices on your network. Use network monitoring tools to spot unusual traffic patterns. For home users, a simple step is to reboot your router regularly. This can sometimes flush out malware that's only stored in memory. But the best defense is to replace old hardware. A new router costs around $50 to $100 and comes with security features that older models lack. ### Final Thoughts AryStinger is a reminder that security isn't just about the devices you use actively. It's also about the ones you forgot. Every router, printer, or smart device connected to your network is a potential target. Keep them updated, change default passwords, and retire old hardware when it stops getting support. The malware's numbers are still rising, but awareness is the first step to protection. Don't let your forgotten router become someone else's tool.