A new malware called AryStinger has compromised at least 4,300 legacy home routers, repurposing them as a distributed proxy and reconnaissance network rather than a traditional DDoS botnet. The infected devices are used to conduct pre-attack intelligence gathering, helping threat actors blend malicious traffic into legitimate residential IP ranges. The infection count is reportedly still growing, making this an active and evolving threat.

Security Architect’s Take: Audit your organisation’s egress filtering and threat intelligence feeds to flag or block traffic originating from known residential and SOHO router IP ranges commonly associated with proxy abuse. Additionally, ensure any remote access or perimeter services log and alert on unusual source IP diversity, which may indicate reconnaissance traffic routed through compromised devices like these.

Original advisory: AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network