What happened
A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers and turned them into proxies for malicious traffic.
Researchers at Qianxin’s XLab threat intelligence team said the malware converts infected devices into remotely controlled executors that can perform scanning, proxying, tunneling, command execution, and other attacker-directed activity.
The botnet allows attackers to split large scanning tasks into smaller chunks and distribute them across infected devices for parallel execution. This design helps attackers complete early reconnaissance and footprinting activity more efficiently before launching follow-on intrusions.
Beyond using compromised routers as traffic relays, AryStinger can also tamper with DNS settings, hijack user browsing, and silently monitor or potentially steal inbound and outbound network traffic.
AryStinger exploits older vulnerabilities, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The malware primarily targets outdated D-Link DIR-850L and D-Link DIR-818LW routers.
Qianxin telemetry showed that nearly half of infections were located in South Korea, followed by China, Sweden, Malaysia, and Singapore.
Researchers identified two AryStinger variants. One is written in C and mainly targets outdated routers. The other is written in Go and focuses on NAS systems, though it currently has a much smaller reach.
The NAS-focused version is more advanced and includes IP and DNS scanning, command execution, payload execution, and internal network reconnaissance through open-source penetration testing tools.
Researchers have not attributed AryStinger to any known activity cluster and said many questions around the botnet remain unresolved.
Who is affected
Owners and organizations using outdated D-Link DIR-850L and D-Link DIR-818LW routers are directly affected.
The risk is highest for devices that are end-of-life, exposed to the internet, running outdated firmware, using default administrator credentials, or allowing remote management access.
Users whose routers are infected may have their devices abused as proxies for malicious traffic. They may also face DNS tampering, browsing hijacking, traffic monitoring, and potential theft of network data.
Organizations using vulnerable routers or NAS systems may also face risk if infected devices are used as footholds for reconnaissance or internal network activity.
Why CISOs should care
AryStinger shows how outdated edge devices can become part of attacker infrastructure even when they are not the attacker’s final target. Compromised routers can be used to scan other victims, proxy traffic, tunnel activity, and hide malicious operations behind legitimate residential or business networks.
The DNS tampering and traffic monitoring capabilities are especially concerning. If attackers can alter DNS settings or monitor network traffic through a compromised router, they may be able to redirect users, observe sensitive activity, or support follow-on credential theft.
For CISOs, this reinforces the need to include routers, small office devices, and NAS systems in asset management and vulnerability programs. End-of-life devices often sit outside normal patching cycles but remain connected to networks and exposed to the internet.
The botnet also highlights the risk of distributed reconnaissance. Attackers can use compromised devices to break large scanning operations into smaller tasks, making activity harder to detect and attribute.
3 practical actions
- Replace end-of-life routers with supported models: AryStinger primarily targets outdated D-Link DIR-850L and DIR-818LW routers. Organizations should remove end-of-life network devices from production environments and replace them with models that still receive security updates.
- Update firmware and disable remote management: Owners of affected routers should apply the latest available firmware updates, change default administrator passwords, and disable remote management panels to reduce exposure.
- Monitor DNS settings and outbound network behavior: AryStinger can tamper with DNS settings, hijack browsing, and proxy malicious traffic. Security teams should watch for unexpected DNS changes, unusual outbound connections, proxy-like behavior, and unexplained scanning activity from edge devices.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.