The AryStinger botnet is actively exploiting two end-of-life vulnerabilities in D-Link DIR-850L and Realtek RTL819X-based routers (CVE-2013-3307, CVE-2016-5681) and one actively patched vulnerability in QNAP’s Malware Remover component (CVE-2025-11837) to build a distributed reconnaissance and proxy network of approximately 4,300 compromised devices. No remediation exists for the legacy router hardware; QNAP devices have a vendor patch available. Compromised edge devices in your environment or supply chain can mask attacker origin and facilitate undetected network mapping.