AryStinger Botnet Infects Thousands of D-Link Routers Worldwide

Researchers at Qianxin XLab have discovered a new botnet named AryStinger that has infected over 4,000 D-Link routers worldwide. The malware primarily targets outdated DIR-850L and DIR-818LW models, exploiting older vulnerabilities including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837 to compromise devices that are no longer receiving firmware updates.

AryStinger converts infected routers into remotely controlled 'executors' that can perform scanning, proxying, tunneling, and command execution on behalf of the attacker. According to XLab, 'the attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,' enabling efficient footprinting for subsequent intrusions.

Beyond using compromised routers as a springboard, the malware can tamper with DNS settings to hijack browsing and silently monitor all inbound and outbound network traffic. This allows attackers to steal sensitive data or redirect users to malicious sites.

Telemetry data shows that nearly half of all infections are in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%). The two router models were previously targeted by the AVrecon malware botnet, which was disrupted in 2023.

XLab identified two variants of AryStinger: a C-based version targeting routers and a more advanced Go-based version targeting NAS systems. The NAS variant includes additional capabilities such as IP and DNS scanning, command execution, and internal network reconnaissance through integration of open-source penetration testing tools.

The researchers did not attribute AryStinger to any known threat actor, stating that 'many mysteries surrounding AryStinger remain to be solved.' Owners of end-of-life routers are advised to replace them with actively supported models, apply the latest firmware, change default passwords, and disable remote management.