QNAP NAS devices running the Malware Remover component are actively targeted by the AryStinger botnet campaign via CVE-2025-11837, a recently patched vulnerability. Unlike the end-of-life Linksys and D-Link hardware in the same campaign, QNAP has issued a vendor patch — making this a straightforward patch-now priority for any organization running QNAP NAS devices with Malware Remover installed. Compromised QNAP devices are being used as ORB reconnaissance and tunneling nodes rather than for direct data theft, but their network position makes them useful for lateral movement staging.