AryStinger Botnet Infects Outdated D-Link Routers
- Malware Family: AryStinger
- Threat Actor: Unknown (Suspected)
- Victims: Over 4,000 legacy D-Link routers and NAS systems
- Delivery Vector: Exploitation of older CVEs
- Key Capabilities: Traffic proxying, distributed scanning, DNS hijacking
- Source: XLab (Qianxin)
Over 4,000 outdated D-Link routers currently operate within the new AryStinger botnet. This malware compromises legacy hardware to form a distributed network for proxying traffic and launching further attacks. XLab researchers trace the majority of these active infections to South Korea and China.
Delivery Mechanism
Attackers specifically target aging home networking equipment. They primarily focus on the D-Link DIR-850L and D-Link DIR-818LW router models. These specific devices often remain online long past their official support lifecycles. Consequently, threat actors exploit established vulnerabilities to gain unauthorized access. They utilize specific flaws such as CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837 to breach the devices. Previously, the AVrecon botnet compromised these exact same models before Lumen disrupted that operation in 2023. Currently, security specialists do not attribute AryStinger to any known threat groups. They classify the attribution as suspected rather than confirmed.
Infection Chain
Following the initial breach, the malware transforms the router into a remotely operated node. The developers created two distinct variants of this malware. The primary version utilizes the C programming language and specifically targets legacy routers. Meanwhile, a secondary version written in Go targets Network Attached Storage (NAS) systems. This Go variant possesses unique capabilities to execute payloads and utilize open-source security tools for internal network mapping. However, this second variant currently demonstrates a much lower infection rate. Furthermore, the botnet breaks massive network scanning tasks into smaller fragments. It then assigns these specific fragments across the infected nodes. This distributed approach makes the reconnaissance process faster and harder for defenders to detect.
Command and Control Activity
The infected devices maintain active connections with operator-controlled infrastructure. Through these channels, operators can scan external networks and proxy malicious traffic. They also build encrypted tunnels and execute remote commands. Qianxin telemetry provides concrete data on the geographic infection distribution. Approximately half of the 4,000 compromised devices reside in South Korea. Another third of the infected hardware operates within China. The remaining infections primarily occur in Sweden, Malaysia, and Singapore. The AryStinger botnet hijacks legacy routers for global attacks by weaponizing this distributed architecture.
Data Exfiltration and Monitoring
The threat extends far beyond simple traffic routing. AryStinger can modify local DNS configurations directly on the infected router. Therefore, it can force users toward malicious or fraudulent websites. Additionally, the malware silently monitors both incoming and outgoing network traffic. Home users might only notice frequent connection drops or strange website behavior. Meanwhile, the router secretly processes commands for the botnet operator.
Defense and Detection Guidance
Hardware owners must take immediate action to secure their local networks. Security professionals strongly advise replacing outdated D-Link routers with modern, supported equipment. If immediate replacement is impossible, administrators should install the latest available firmware today. Furthermore, users must change the default administrator password to a strong alternative. Finally, administrators should disable remote management interfaces exposed to the public internet.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
