AryStinger botnet – A previously undocumented malware botnet called AryStinger has compromised more than 4,000 outdated D-Link routers, converting them into remotely controlled “executors” that can scan targets, proxy and tunnel traffic, tamper with DNS, hijack browsing, and moni
The first sign of AryStinger isn’t a dramatic disruption—it’s a quiet takeover. Qianxin’s XLab threat intelligence team says a previously undocumented malware botnet has compromised more than 4. 000 outdated routers. turning them into proxies that can be used for malicious traffic across the internet.
AryStinger doesn’t just sit inside infected devices. XLab describes how the malware converts compromised equipment into remotely controlled “executors” capable of scanning, proxying, tunneling, command execution, and other attacker-driven activities.
That design matters. The XLab researchers note that the attacker can split a large scanning task into multiple small chunks and distribute them across different executors for parallel execution. In their words. the “distributed-like design” helps the attacker complete early “footprinting” activities efficiently—improving the smoothness and success rate of follow-on intrusion operations.
The botnet’s reach isn’t limited to being a relay point for attacks. XLab warns AryStinger can also tamper with DNS settings, hijack a user’s browsing, and silently monitor—potentially stealing—all inbound and outbound network traffic.
The routers targeted by AryStinger are the kind that tend to linger in homes and small offices long after support has ended. XLab says the malware exploits older vulnerabilities, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The infections focus primarily on D-Link DIR-850L and D-Link DIR-818LW routers.
These models have been under attack before. XLab notes that DIR-850L and DIR-818LW were previously targeted by the AVrecon malware botnet, which Lumen disrupted in 2023.
Where AryStinger is showing up also tells a story. Qianxin’s telemetry data shows nearly half of all infections are located in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).
XLab researchers identified two variants of AryStinger. There is a C-based version targeting mostly outdated routers, and a Go-based version aimed at NAS systems. The NAS-focused variant is described as more advanced. with additional capabilities including IP and DNS scanning. command execution. payload execution. and internal network reconnaissance through the integration of open-source penetration testing tools.
The infrastructure itself carries risk beyond what XLab has observed. XLab says AryStinger’s distributed DNS-scanning infrastructure could potentially be repurposed to generate large volumes of DNS queries against resolvers, though the researchers did not observe such attacks.
For command execution, the NAS version supports Shell commands as well as Go, Java, and Python source code. XLab adds that using source code instead of compiled binaries introduces practical limitations: compiling requires language runtimes on the host. and the compilation process can create noise that may break stealth.
Despite the technical detail, the botnet’s motives and relationships remain unclear. XLab says it did not attribute AryStinger to any known activity cluster, adding that “many mysteries surrounding AryStinger remain to be solved.”
If there’s a clear takeaway for defenders, it’s that end-of-life equipment is becoming a ready-made platform for attackers. XLab recommends that owners of end-of-life (EoL) routers replace them with new. actively supported models. apply the latest available firmware updates. change the default administrator account password. and disable remote management panels.
In a landscape where compromised devices are often expected to stay invisible, AryStinger’s core message is blunt: once a router is outdated and reachable, it can become part of an attacker’s toolkit—quietly scanning, proxying, and even meddling with the traffic that flows through it.
AryStinger botnet D-Link DIR-850L D-Link DIR-818LW Qianxin XLab CVE-2013-3307 CVE-2016-5681 CVE-2025-11837 router malware DNS hijacking proxying executor infrastructure NAS variant cybersecurity botnet
So it’s just random D-Links acting like spies? Love that for us.
I don’t even get why people still have outdated routers, like just upgrade already. But also how does it hijack DNS and browsing without anyone noticing? Seems like it should be illegal or something.
Wait so they’re saying a botnet is using D-Link routers as proxies, but also “monitoring inbound and outbound”?? That sounds like it could be anyone’s traffic. Also DIR-850L is old so why would anyone even keep that running… unless it’s a business thing.
This is why I don’t trust “cheap router deals.” But 4,000 routers is kinda small right? Like I feel like there would be way more noise if it was really stealing everything. Also they mention CVE-2025-11837 like that’s recent, so wouldn’t patches have happened already? Idk maybe they’re counting older infected ones or something.