RSS

AryStinger botnet infected D-Link routers worldwide

momentmaker1 pts0 comments

AryStinger botnet infected thousands of D-Link routers worldwide

Home<br>News<br>Security<br>AryStinger botnet infected thousands of D-Link routers worldwide

AryStinger botnet infected thousands of D-Link routers worldwide

By Bill Toulas

June 21, 2026

10:14 AM

A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic.

Researchers at Qianxin's XLab threat intelligence team say that the malware converts infected devices into remotely controlled &ldquo;executors&rdquo; that can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker.

&ldquo;The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,&rdquo; XLab researchers note.

&ldquo;With this distributed-like design, the attacker can efficiently complete the early "footprinting" activities, thereby providing strong assurance for the smoothness and success rate of subsequent intrusion operations.&rdquo;

Apart from using compromised routers as a springboard for malicious operations, XLab warns that the malware can also tamper with DNS settings, hijacking the user&rsquo;s browsing, and silently monitor and potentially steal all inbound and outbound network traffic.

Server distributing AryStinger scan jobs<br>Source: XLab

AryStinger exploits older flaws such as CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, targeting primarily D-Link DIR-850L, D-Link DIR-818LW routers.

The two router models were previously targeted by the AVrecon malware botnet that Lumen communications services provider Lumen disrupted in 2023.

Qianxin's telemetry data shows that almost half of all infections are located in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).

XLab researchers found two variants of the AryStinger malware: a C-based version targeting mostly outdated routers, and a Go-based one that focuses on NAS systems, but currently with a far more limited reach.

Infected router establishing C2 communication<br>Source: XLab

The NAS version is the most advanced of the two, featuring additional capabilities such as IP and DNS scanning, command execution, payload execution, and internal network reconnaissance through the integration of open-source penetration testing tools.

The researchers noted that AryStinger's distributed DNS-scanning infrastructure could potentially be repurposed to generate large volumes of DNS queries against resolvers, although they did not observe any such attacks.

Regarding the NAS version's code execution capabilities, XLab says there&rsquo;s support for Shell commands, as well as Go, Java, and Python source code.

However, there are some limitations to using source code instead of compiled binaries, as compilation requires language runtimes on the host, and the process as a whole introduces noise that can break stealth.

The researchers did not attribute AryStinger to any known activity cluster, stating that &ldquo;many mysteries surrounding AryStinger remain to be solved.&rdquo;

Owners of end-of-life (EoL) routers should replace them with new, actively supported models, apply the latest available firmware updates, change the default administrator account password, and disable remote management panels.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

China-linked JDY botnet expands targeting of U.S. military networks<br>New Mirai campaign exploits RCE flaw in EoL D-Link routers<br>C0XMO botnet spreads via DD-WRT router flaw, kills rival malware<br>Dutch govt disrupts malware botnet with 17 million infected devices<br>Russian hackers turn Kazuar backdoor into modular P2P botnet

AryStinger

Botnet

D-Link

Malware

NAS

Reconnaissance

Router

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Webinar: How attackers bypass MFA and how defenders can respond

Klue OAuth breach victim list grows as Icarus hackers claim attack

Microsoft: June 2026 Windows updates break Recycle Bin prompts

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

What does it take to make AI work in production? Find out with Workflow on-demand.

Don't just map the problem with AI agent sprawl, fix it.

AI is a data-breach time bomb: Read the new...

arystinger botnet routers malware link infected

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.