Malware Activity
AryStinger Botnet Compromises Thousands of Routers to Build Distributed Proxy and Reconnaissance Network
Security researchers have identified a previously undocumented malware botnet dubbed AryStinger that has compromised more than 4,000 end-of-life routers and network-attached storage (NAS) devices, transforming them into a distributed infrastructure for malicious operations. The malware enables attackers to remotely control infected devices as “executors” capable of conducting internet-wide scanning, proxying, tunneling, command execution, and reconnaissance, allowing large tasks to be divided across many hosts to improve efficiency and evade detection. AryStinger primarily targets outdated D-Link routers by exploiting older vulnerabilities, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, with infections concentrated in South Korea, China, and several other Asian and European countries. Researchers identified both a C-based variant focused on legacy routers and a more advanced Go-based version targeting NAS devices, the latter featuring capabilities such as DNS and IP scanning, internal network reconnaissance, payload execution, and the ability to run Shell, Go, Java, and Python code on compromised systems. In addition to serving as a launchpad for future intrusions, the malware can alter DNS settings to hijack web traffic and potentially intercept or steal network communications. While researchers have not attributed AryStinger to any known threat actor or observed it being used for large-scale DNS attacks, they warn that its architecture could support such activity in the future and recommend replacing unsupported networking equipment, applying firmware updates, changing default credentials, and disabling remote management interfaces to mitigate risk. CTIX analysts will continue to write about novel malware and attack techniques.
Threat Actor Activity
Gentlemen RaaS Uses BYOVD‑Based EDR Killer Suite for Global Ransomware Campaigns
The Gentlemen, a highly active and technically agile ransomware as a service (RaaS) group, has been developing and maintaining endpoint detection and response (EDR) disabling capabilities, aka EDR killers, for its affiliates to help them evade detection during ransomware attacks. Instead of relying on affiliates to source their own tools, operators develop and maintain a standardized EDR killer suite, centered on the in house GentleKiller framework. GentleKiller has at least (8) eight variants, each abusing a different vulnerable or malicious driver via Bring Your Own Vulnerable Driver (BYOVD) to gain kernel privileges, then hunting more than 400 processes tied to around forty-eight (48) security products. All variants share a common development template, code obfuscation, and process killing logic, and are wrapped in commercial protectors (Enigma, Themida) and fake/stolen certificates, filenames, and icons that impersonate well known security vendors. Gentlemen also rapidly weaponizes newly published BYOVD proofs of concept and integrates third party EDR killers (HexKiller, ThrottleBlood, HavocKiller) behind the same evasion layer, likely for redundancy and complicating attribution. A Rust based credential stealer, OxideHarvest, supplements this toolset. Operationally, Gentlemen runs a double extortion RaaS with generous affiliate payouts (around 90%) and a globally distributed victimology focused on Southeast Asia, South America, and Western Europe rather than the US. Target selection appears influenced by FortiGate endpoint configurations, and the group has been tied to high profile compromises and a sizable SystemBC proxy botnet.
- Bleeping Computer: Gentlemen RaaS Article
- The Hacker News: Gentlemen RaaS Article
- ESET: Gentelmen’s Tactics High Level Article
- ESET: Gentelemn’s EDR Killer Report
- Huntress: Additional Bomgar RMM Exploitation Blog
Vulnerabilities
FortiBleed Exposes Credentials for Nearly 74,000 Fortinet Devices Worldwide
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning to Fortinet customers following the disclosure of “FortiBleed,” a massive data leak exposing credentials associated with nearly 74,000 Fortinet firewalls and VPN gateways worldwide. The leaked dataset, discovered by security researcher Volodymyr “Bob” Diachenko, contains usernames, email addresses, plaintext passwords, and device URLs spanning over 21,000 domains across 194 countries, affecting organizations in government, critical infrastructure, telecommunications, healthcare, finance, and manufacturing, including major companies such as Samsung, Mercedes-Benz, Chevron, and AT&T. Threat intelligence firm Hudson Rock described the dataset as one of the largest known collections of compromised Fortinet credentials, while cybersecurity researcher Kevin Beaumont independently verified portions of the data and noted that most affected devices remain online. Diachenko attributed the operation to a Russian-speaking threat group that allegedly conducted more than 1.16 billion credential attempts against over 320,000 FortiGate targets to harvest SSL VPN authentication data, although the exact source of the leaked information remains unknown. In response, CISA urged organizations to immediately terminate active SSL VPN and administrative sessions, reset all associated passwords, enable phishing-resistant multi-factor authentication, restrict management interfaces from internet exposure, remove unauthorized accounts, and review logs for evidence of compromise or lateral movement. The warning comes amid broader concerns over Fortinet security, as CISA currently tracks twenty-six (26) Fortinet vulnerabilities known to have been exploited in the wild, including several leveraged in ransomware campaigns.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
