Researchers from Qianxin XLab have reported a previously unknown botnet, AryStinger, which they say has compromised more than 4,000 outdated routers worldwide. The malware turns infected devices into controlled proxy nodes used for distributed scanning, traffic tunneling, and staging follow‑up attacks. The primary targets are end‑of‑support models D-Link DIR-850L and DIR-818LW. Owners of these devices are advised to consider replacing them immediately, since the vendor no longer releases security updates.
Infection mechanism and exploited vulnerabilities
According to the researchers, AryStinger exploits three vulnerabilities for initial compromise:
- CVE-2013-3307 — a vulnerability from 2013;
- CVE-2016-5681 — a vulnerability from 2016;
- CVE-2025-11837 — a more recent vulnerability.
All three CVEs are registered in the NVD. However, it should be noted that the claim about their active exploitation specifically by AryStinger is based on a single research report and has not yet been confirmed by independent sources. None of these vulnerabilities are listed in the CISA KEV catalog.
The core problem is that the targeted D-Link models reached end of life (EoL) long ago. The vendor is no longer issuing patches for them, which makes any discovered vulnerabilities effectively unfixable through software.
Botnet architecture and capabilities
As reported by the researchers, AryStinger implements a distributed architecture in which infected routers act as remote “workers.” The botnet operators break down large tasks — for example, scanning IP ranges — into smaller chunks and distribute them among numerous compromised devices for parallel execution. This approach speeds up reconnaissance and reduces the likelihood of detection, since each individual node generates only a minimal amount of suspicious traffic.
In addition to proxying and scanning, AryStinger, according to Qianxin XLab, has the following capabilities:
- Changing DNS settings on the infected device;
- Redirecting users’ browser traffic;
- Monitoring and potentially intercepting inbound and outbound network traffic.
DNS modification is a particularly dangerous feature: it allows attackers to silently redirect users to phishing resources or tamper with software updates, while the victim does not notice any anomalies at the device level.
Two variants: routers and NAS
The researchers have identified two AryStinger variants. The first is written in C and targets legacy routers. The second, written in Go, is aimed at network-attached storage (NAS). Although the NAS variant is currently less widespread, it reportedly offers significantly broader functionality:
- IP and DNS scanning;
- Execution of arbitrary commands and additional payloads;
- Reconnaissance in the local network using open‑source penetration testing tools;
- Execution of Go, Java, and Python source code (provided the respective runtimes are present on the compromised system).
Dependence on installed runtimes is both a limitation and a factor that increases detectability: attempts to compile and run code generate noticeable activity that security tools can spot.
The report also mentions the theoretical possibility of using AryStinger’s distributed infrastructure to generate large volumes of DNS requests to resolvers. However, no such attacks have been observed in practice.
Geographic distribution
According to Qianxin XLab telemetry, the distribution of infected devices is uneven:
- South Korea — 48.5%;
- China — 31.8%;
- Sweden — 6.4%;
- Malaysia — 3.5%;
- Singapore — 2.5%.
The dominance of South Korea and China is likely due to the high density of D-Link DIR-850L and DIR-818LW deployments in these regions. It should be noted that these figures come from a single source and have not undergone independent verification.
Risk assessment
The main threat posed by AryStinger is less about direct damage to the owners of infected routers and more about using their infrastructure as a springboard for attacks on third parties. A compromised router in a home or office network creates several risk vectors:
- Traffic interception: all devices behind the infected router are potentially vulnerable to eavesdropping;
- DNS spoofing: users can be redirected to malicious resources without any visible signs of compromise;
- Legal exposure: the IP address of the infected router may appear as the source of scans and attacks;
- Lateral movement: especially for the NAS variant — local network reconnaissance opens a path to compromising other devices.
Mitigation recommendations
Since the affected D-Link models no longer receive updates, the standard “install the patch” approach does not apply. The following measures are recommended:
- Hardware replacement: D-Link DIR-850L and DIR-818LW routers should be decommissioned and replaced with supported models. This is the only reliable measure.
- If immediate replacement is not possible: disable remote administration (WAN access to the management interface), disable UPnP, and change default credentials.
- DNS monitoring: check the router’s DNS settings — if they have been changed to unknown servers, the device may be compromised.
- Network monitoring: watch for anomalous outbound traffic from the router — unusual volumes of connections, communication with atypical IP addresses, or scanning activity.
- Network segmentation: if NAS devices are present in the infrastructure, isolate them in a separate segment with restricted access.
The AryStinger botnet is yet another reminder that legacy network equipment without vendor support represents not an abstract but a very concrete operational risk. Organizations and home users operating D-Link DIR-850L or DIR-818LW should plan to replace these devices in the near future — without waiting for clear signs of compromise, which in the case of a router botnet may never become obvious to the end user.
