惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler
T
Tor Project blog
N
Netflix TechBlog - Medium
C
Cybersecurity and Infrastructure Security Agency CISA
V
Vulnerabilities – Threatpost
V
Visual Studio Blog
GbyAI
GbyAI
PCI Perspectives
PCI Perspectives
D
DataBreaches.Net
Jina AI
Jina AI
H
Heimdal Security Blog
云风的 BLOG
云风的 BLOG
P
Privacy International News Feed
A
About on SuperTechFans
J
Java Code Geeks
美团技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
有赞技术团队
有赞技术团队
MyScale Blog
MyScale Blog
博客园 - 司徒正美
C
Check Point Blog
T
Threat Research - Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
宝玉的分享
宝玉的分享
AI
AI
Simon Willison's Weblog
Simon Willison's Weblog
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
Apple Machine Learning Research
Apple Machine Learning Research
Hugging Face - Blog
Hugging Face - Blog
The Last Watchdog
The Last Watchdog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
I
InfoQ
阮一峰的网络日志
阮一峰的网络日志
Cisco Talos Blog
Cisco Talos Blog
W
WeLiveSecurity
Hacker News: Ask HN
Hacker News: Ask HN
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
D
Docker
博客园 - Franky
Security Archives - TechRepublic
Security Archives - TechRepublic

Cyber Security News

AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code - Update Now! UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes The Half-Life of Threat Intelligence: When Does an IOC Stop Being Useful? Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio India Temporarily Bans Telegram Messenger Over Medical Exam Fraud Microsoft 365 Device Code Phishing Campaign Bypasses Password Theft With Legitimate Login Flow AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets Russian and Chinese Influence Actors Use AI to Evade Bot Detection and Mimic Human Behavior Microsoft Teams Analyze the Wi-Fi Hotspot Data Connected to an Employee’s Device PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions Infinite Campus Data Breach Exposes 137,000 Users Personal Details OptinMonster Plugin Hack Exposes 1.2 Million Wordpress Sites to Cyberattack Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure Microsoft Site Showing Warning Following Certificate Expiry DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence SecSuite - AI-powered Tool for OSINT, Web and API Security Testing WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From Hackers Server BugHunter - Bug Bounty Toolkit Powered by Claude and Free AI Providers Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications Facebook and Instagram Down Globally, Users Reporting Multiple Issues Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks 400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers Critical Langflow Vulnerability Exploited to Execute Malicious Code Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability Oracle Emergency Security Update to Fix Critical RCE Vulnerability GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks Top 5 Best Tools for Simulated DDoS Attacks in 2026 Critical Vulnerability in Hugging Face Transformers Enables Remote Code Execution Attacks OWASP CVE Lite CLI - New Tool to Scan for Vulnerabilities in Your Projects Anthropic's Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated] Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware New Magecart Attack Turns Stripe into a Malware Command Server Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network
Tushar Subhra Dutta · 2026-06-23 · via Cyber Security News

A newly discovered botnet called AryStinger has quietly hijacked more than 4,300 routers across the globe, turning them into a silent army of attack proxies.

The threat actors behind this campaign are exploiting decade-old vulnerabilities to build a covert reconnaissance infrastructure, and what makes it particularly alarming is how well it manages to stay hidden from traditional security tools.

The campaign first came to light on March 12, 2026, when a network-wide threat monitoring system flagged a suspicious IP address spreading a malware sample through two known router vulnerabilities, CVE-2013-3307 and CVE-2016-5681.

These flaws affect several Linksys and D-Link router models from over ten years ago. The malware was going completely undetected, with zero flags across major security scanning platforms.

Researchers from Qianxin XLab said in a report shared with Cyber Security News (CSN) that they identified and documented this unusual attack campaign, noting that it targets router devices built on the RTL819X series chips, which were most widely used between 2012 and 2015.

The team later captured a related sample on April 26 targeting NAS devices, spread through CVE-2025-11837. Based on its source code path and behavior, they named this new malware family AryStinger.

Unlike typical botnets that focus on DDoS attacks or mining cryptocurrency, AryStinger is built for something far more calculated. It is designed to quietly gather information and serve as a launch pad for deeper intrusions.

The infected router becomes a ghost node, helping attackers hide their real location while conducting reconnaissance on other networks.

The hardcoded encryption key found inside AryStinger reads “sh_#@!_2024_secret,” hinting that this campaign may have been active since at least 2024.

Subsequent task dispatch (Source - Qianxin)
Subsequent task dispatch (Source – Qianxin)

The full scale of the operation remains unknown, since current infection counts only cover RTL819X routers and do not yet reflect how many NAS devices may also be compromised.

AryStinger Botnet Hijacks 4,300+ Routers

Once AryStinger infects a router, it registers the device with a command-and-control server by sending device fingerprint data including MAC address, IP addresses, operating system version, and CPU architecture.

This data is encrypted before transmission. The server then assigns each infected device a unique Executor ID, turning it into a managed node in the botnet.

Each infected node, called an Executor, receives a small piece of a larger scanning task. The attacker distributes these chunks across hundreds of devices simultaneously, enabling fast and distributed reconnaissance across the internet.

XOR decryption and Protobuf deserialization (Source - Qianxin)
XOR decryption and Protobuf deserialization (Source – Qianxin)

The botnet supports port scanning, service identification, subdomain enumeration, and traffic tunneling, all while keeping the attacker’s true identity hidden.

The infected devices are predominantly D-Link DIR-850L routers, accounting for about 75 percent of all known infections. South Korea holds the highest share at 48.45 percent, followed by China at 31.82 percent, Sweden at 6.40 percent, Malaysia at 3.50 percent, and Singapore at 2.50 percent.

Two Versions, One Dangerous Goal

AryStinger comes in two distinct versions that share the same core logic. The RTL819X version is written in C and is a lean build made specifically for old routers, focusing mainly on DNS scanning and tunnel functionality.

The Standard version is written in Go and targets NAS devices, with a broader feature set including intranet scanning, script execution, and the ability to run payloads written in Go, Java, or Python.

The Standard version’s ScriptWork feature is particularly flexible, allowing attackers to send raw code directly to infected devices without compiling separate binaries for different platforms.

Both versions establish persistent backdoors on infected devices, either through a lightweight SSH server called dropbear or through gs-netcat, giving attackers long-term remote access.

Security researchers strongly recommend that users check their network traffic for any communication with the IOC domains in this report.

Users should also inspect the /tmp/bin directory on their device for unknown files, and verify whether processes named syswapd0h or syswapd0w are actively running.

Any router whose firmware has not received updates in years should be replaced or taken offline without delay.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
IP Address107.150.106.14Scanner IP used to spread AryStinger via CVE-2013-3307 and CVE-2016-5681
C2 Domainhttp://opi7.comAryStinger Command and Control server
C2 Domainhttp://xook.ajb8.comAryStinger Command and Control server
C2 Domainhttp://xonice.ahb8.comAryStinger Command and Control server
C2 Domainhttp://eixfi.ajb8.comAryStinger Command and Control server
C2 Domainhttps://dybic.ajb8.comAryStinger Standard version C2
C2 Domainhttps://sdkv1.dataexplore.ccAryStinger Tunnel C2
C2 Domainhttps://sdkv1.dataexplore.coAryStinger Tunnel C2
Downloader Domainhgodpcx.auq8.comDownloader server for AryStinger Standard version
Downloader Domainhgodpcx.ajb8.comDownloader server for AryStinger RTL819X version
Downloader Domainio.ary2.comAdditional downloader domain
URLhttps://hgodpcx.ajb8.com/prod/RTL819X/{version}/manifest.jsonRTL819X version manifest URL
URLhttps://hgodpcx.ajb8.com/prod/standard/{version}/manifest.jsonStandard version manifest URL
URLhttp://hgodpcx.ajb8.com/prod/RTL819X/{version}/syswapd0RTL819X sample download URL
URLhttps://hgodpcx.ajb8.com/prod/standard/{version}/syswapd0-linux-amd64Standard sample download URL
MD5 Hashabae20b26b70b526bebb5e2617092edeAryStinger RTL819X syswapd0 V2.0.28
MD5 Hash4c80d17fa5db5b1c2aaddb5351e9cb6bAryStinger RTL819X syswapd0 V2.0.27
MD5 Hasha5101caf0a1789d6a4bc30e644d6b152AryStinger Standard syswapd0-linux-amd64 V1.0.102
MD5 Hashdf0c9f6289e56f31c0700f40590857d3AryStinger RTL819X syswapd0 V2.0.19
MD5 Hash8e55d712a99d2cd45e8592c6dda5110AryStinger RTL819X syswapd0 V2.0.21
MD5 Hash0ba24db187836efe77ed7e75d279d33AryStinger RTL819X syswapd0 V2.0.3
MD5 Hash6f761f63642cd6329a29cfad80be50c3AryStinger RTL819X syswapd0 V2.0.4
MD5 Hashdbcc5a3e6afe41060d6357e24dc03fd3AryStinger RTL819X syswapd0 V2.0.5
MD5 Hasha97e552f5e655e1cfa56853f65beeb0eAryStinger RTL819X syswapd0 V2.0.6
MD5 Hashc113739225ece5f6e4805466dec1401dAryStinger RTL819X syswapd0 V2.0.7
MD5 Hash0a2d2a4ec1ca2aa6a23a35abb5a75451AryStinger RTL819X syswapd0 V2.0.8
MD5 Hashdd1e5a3cd9f842bd70be45a62c3ebbf6AryStinger RTL819X syswapd0 V2.0.9
MD5 Hash16fed5909de4f50351fc33fbfcf156dfAryStinger RTL819X syswapd0 V2.0.10
MD5 Hash6f91d1f8f0cbaab137351936b52f7a94AryStinger RTL819X syswapd0 V2.0.11
MD5 Hashfc4cee066d8526f5806bb23278f647daAryStinger RTL819X syswapd0 V2.0.12
MD5 Hash7b361a6d0d42309d09ec9000b53712b3AryStinger RTL819X syswapd0 V2.0.13
MD5 Hash18f894a3168ee0b809eed321a2e748b4AryStinger RTL819X syswapd0 V2.0.14
MD5 Hash0627f034c42549e2130734b5f8dbf854AryStinger RTL819X syswapd0 V2.0.15
MD5 Hashb9406e969cdfdaef433e93d0b9ad1f5dAryStinger RTL819X syswapd0 V2.0.16
MD5 Hashf093891e281bcd9c8016dea7d89cc671AryStinger RTL819X syswapd0 V2.0.17
MD5 Hash9221423d7daff9e64f7e2af54f911feaAryStinger RTL819X syswapd0 V2.0.18
MD5 Hash7f2b2e3516fa454adfd51f857ae80adfAryStinger RTL819X syswapd0 V2.0.20
MD5 Hashdbdd4d8e4aef3ce69cf65ed470425c89AryStinger RTL819X syswapd0 V2.0.21
MD5 Hashd79270ba44e665ebb0383eb77a52e38bAryStinger RTL819X syswapd0 V2.0.22
MD5 Hash36ff9f683e870145aaf5a715bc934762AryStinger RTL819X syswapd0 V2.0.23
MD5 Hashdc35086ba0f5f83545c32a023a1f3be4AryStinger RTL819X syswapd0 V2.0.24
MD5 Hash7461445fca3f9d8911148e0908d33c3bAryStinger RTL819X syswapd0 V2.0.25
MD5 Hasha3181550e0e0a6153a44b7a0495535b0AryStinger RTL819X syswapd0 V2.0.26
MD5 Hashfffcbd0ac2cb545496890f50395181ffAryStinger RTL819X syswapd0 V2.0.29
MD5 Hasha3e3197e2344c51e95c063541ea22205AryStinger RTL819X syswapd0 V2.0.30
MD5 Hashe9916ff56074725f5739ead5091fe6c7AryStinger RTL819X syswapd0 V2.0.31
MD5 Hashff11e000f377c54dea928b09ebad9df8AryStinger Standard syswapd0-linux-amd64 V1.0.61
MD5 Hashfcc9de5c040307e6ac3011e8b379f6d9AryStinger Standard syswapd0-linux-amd64 V1.0.62
MD5 Hashed9209111b995cbe78f8e097c289f127AryStinger Standard syswapd0-linux-amd64 V1.0.63
MD5 Hashb104a05e8a2e218adfb7654ba8bf3d49AryStinger Standard syswapd0-linux-amd64 V1.0.64
MD5 Hash9660895fa3fcabbef466703636f6d51dAryStinger Standard syswapd0-linux-amd64 V1.0.66
MD5 Hashb0f4f813a9de094c06821366e2459aeeAryStinger Standard syswapd0-linux-amd64 V1.0.67
MD5 Hash8cc249b16adf7e4a658af7fa31d7998eAryStinger Standard syswapd0-linux-amd64 V1.0.68
MD5 Hash9973676bfa9fe89aa5c76e3cd0b21ae8AryStinger Standard syswapd0-linux-amd64 V1.0.76
MD5 Hashd997efa98afab2c003654b8d5ce2bedfAryStinger Standard syswapd0-linux-amd64 V1.0.79
MD5 Hash8deb2a60d42de0f8f8786e485d2f046fAryStinger Standard syswapd0-linux-amd64 V1.0.80
MD5 Hashdc71c10ca0b2c83b6b3a6a062fca314fAryStinger Standard syswapd0-linux-amd64 V1.0.81
MD5 Hash6869f24aecd75e2144aba8dc03dc2d0fAryStinger Standard syswapd0-linux-amd64 V1.0.88
MD5 Hash05627d1bddb7292bb45139244f46051fAryStinger Standard syswapd0-linux-amd64 V1.0.89
MD5 Hash19232d0eff3ef7aee3b5d7620c72358cAryStinger Standard syswapd0-linux-amd64 V1.0.90
MD5 Hash8edb3ea62a7e643ba1a88d20799cf94fAryStinger Standard syswapd0-linux-amd64 V1.0.91
MD5 Hashea2fe3b409da439aec25cf7eabf5b7a7AryStinger Standard syswapd0-linux-amd64 V1.0.93
MD5 Hash0ffb4b4e430f4b69216fb9d2e082e482AryStinger Standard syswapd0-linux-amd64 V1.0.95
MD5 Hash5d9cdb072415b191df3f444f53b2ff4bAryStinger Standard syswapd0-linux-amd64 V1.0.96
MD5 Hash44805c4b36bd3d97ba8ecaf6fe103572AryStinger Standard syswapd0-linux-amd64 V1.0.97
MD5 Hashd2fd89ebdad493ec9ac76ce35213cec4AryStinger Standard syswapd0-linux-amd64 V1.0.98
MD5 Hasha2d54fcd0c2816f607a5962523fc648cAryStinger Standard syswapd0-linux-amd64 V1.0.101
MD5 Hashe6b27080aa1ce1901a23dd75716d9092AryStinger Tunnel nat_tunnel-linux-x86_64
File Namesyswapd0hAryStinger malicious process name (RTL819X variant)
File Namesyswapd0wAryStinger malicious process name (RTL819X variant)
File Namenat_tunnel-linux-x86_64AryStinger Tunnel tool binary
Encryption Keysh_#@!2024_secretHardcoded XOR encryption key used in C2 communication

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

Tushar Subhra Dutta

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.