- QiAnXin
- So far, 4,300 routers have been infected, mainly in South Korea (48%) and China (32%), with QNAP NAS devices also targeted via CVE‑2025‑11837.
- Compromised devices enable scanning, tunneling and covert control; researchers advise monitoring logs, binaries in /tmp/bin, and suspicious processes like syswapd0h Or syswapd0w
Cybersecurity researchers QiAnXin XLab are warning of an ongoing campaign to create a distributed reconnaissance and proxy network from users’ routers and NAS devices.
The cam has malware called AryStinger.
According to researchers, AryStinger is used during the reconnaissance and planning stages of a more serious cyberattack. Devices infected with this malware can scan the Internet, fingerprint services, enumerate subdomains, tunnel traffic, and execute commands on demand, all while hiding the location (and true identity) of attackers.
Targeting NAS devices
“Once compromised by malware like AryStinger that has reconnaissance and covert control capabilities, it is the equivalent of a hacker placing a permanent ‘invisible listening device’ and ‘attack springboard’ within your network,” the researchers said.
QiAnXin’s XLab says that so far AryStinger has infected 4,300 routers, but emphasizes that this is not the final figure and that with the ongoing campaign this figure will increase even further.
The majority of victims are in South Korea (48%) and China (32%), with notable mentions being Sweden, Malaysia and Singapore.
AryStinger also targets QNAP’s NAS devices, exploiting a code injection flaw in the device’s Malware Remover. This flaw, identified as CVE-2025-11837, was first discovered during last year’s Pwn2Own event and was patched in November 2025. Researchers are unsure how many of these devices are currently infected and say the 4,300 figure only concerns routers.
Researchers did not attribute this attack to any specific threat actor.
To defend against AryStinger, researchers recommend monitoring logs for any outgoing connections to the C2 and download domains (found here), checking /tmp/bin for unrecognized binaries, and looking for processes named syswapd0h or syswapd0w.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
