AryStinger botnet infected thousands of D-Link routers worldwide
The AryStinger botnet is a newly identified malware that has infected over 4,000 outdated D-Link routers worldwide, primarily targeting models DIR-850L and DIR-818LW. The malware converts infected routers into remotely controlled proxies capable of scanning, proxying, tunneling, command execution, and other attacker-directed activities. It exploits older vulnerabilities such as CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The botnet is geographically concentrated mainly in South Korea and China. AryStinger also includes a more advanced variant targeting NAS systems with additional reconnaissance and code execution capabilities. The malware can tamper with DNS settings to hijack browsing and monitor network traffic. Users of end-of-life routers are advised to replace devices, update firmware, change default passwords, and disable remote management.
AI Analysis
Technical Summary
AryStinger is a previously undocumented malware botnet that compromises outdated D-Link routers, specifically DIR-850L and DIR-818LW models, by exploiting known vulnerabilities CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. Infected routers become 'executors' that perform distributed scanning, proxying, tunneling, and command execution tasks controlled by the attacker. The malware can alter DNS settings to hijack user browsing and monitor network traffic. Two variants exist: a C-based version targeting routers and a Go-based version targeting NAS devices with enhanced reconnaissance and code execution features. The botnet's infections are predominantly located in South Korea and China. The malware infrastructure supports distributed scanning and could be repurposed for large-scale DNS query attacks, though none have been observed. The botnet's full scope and attribution remain unclear.
Potential Impact
AryStinger compromises outdated D-Link routers, turning them into proxies that facilitate malicious activities such as scanning, tunneling, and command execution. The malware's ability to tamper with DNS settings enables browsing hijacking and silent monitoring or theft of network traffic. This undermines network security and user privacy. The presence of a more advanced NAS-targeting variant increases the potential impact by enabling internal network reconnaissance and execution of arbitrary code. The botnet's distributed design enhances the efficiency and scale of attacks. The infection concentration in specific countries indicates regional impact but does not limit global risk.
Mitigation Recommendations
No official patch or vendor advisory is provided in the available data. Users of affected D-Link router models (DIR-850L and DIR-818LW) should replace end-of-life devices with actively supported models. Applying the latest available firmware updates is recommended where possible. Additionally, changing default administrator passwords and disabling remote management interfaces can reduce exposure. Monitoring for unusual network activity related to proxying or DNS tampering is advisable. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Affected Countries
South Korea, China, Sweden, Malaysia, Singapore
AryStinger botnet infected thousands of D-Link routers worldwide
Description
The AryStinger botnet is a newly identified malware that has infected over 4,000 outdated D-Link routers worldwide, primarily targeting models DIR-850L and DIR-818LW. The malware converts infected routers into remotely controlled proxies capable of scanning, proxying, tunneling, command execution, and other attacker-directed activities. It exploits older vulnerabilities such as CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The botnet is geographically concentrated mainly in South Korea and China. AryStinger also includes a more advanced variant targeting NAS systems with additional reconnaissance and code execution capabilities. The malware can tamper with DNS settings to hijack browsing and monitor network traffic. Users of end-of-life routers are advised to replace devices, update firmware, change default passwords, and disable remote management.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AryStinger is a previously undocumented malware botnet that compromises outdated D-Link routers, specifically DIR-850L and DIR-818LW models, by exploiting known vulnerabilities CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. Infected routers become 'executors' that perform distributed scanning, proxying, tunneling, and command execution tasks controlled by the attacker. The malware can alter DNS settings to hijack user browsing and monitor network traffic. Two variants exist: a C-based version targeting routers and a Go-based version targeting NAS devices with enhanced reconnaissance and code execution features. The botnet's infections are predominantly located in South Korea and China. The malware infrastructure supports distributed scanning and could be repurposed for large-scale DNS query attacks, though none have been observed. The botnet's full scope and attribution remain unclear.
Potential Impact
AryStinger compromises outdated D-Link routers, turning them into proxies that facilitate malicious activities such as scanning, tunneling, and command execution. The malware's ability to tamper with DNS settings enables browsing hijacking and silent monitoring or theft of network traffic. This undermines network security and user privacy. The presence of a more advanced NAS-targeting variant increases the potential impact by enabling internal network reconnaissance and execution of arbitrary code. The botnet's distributed design enhances the efficiency and scale of attacks. The infection concentration in specific countries indicates regional impact but does not limit global risk.
Mitigation Recommendations
No official patch or vendor advisory is provided in the available data. Users of affected D-Link router models (DIR-850L and DIR-818LW) should replace end-of-life devices with actively supported models. Applying the latest available firmware updates is recommended where possible. Additionally, changing default administrator passwords and disabling remote management interfaces can reduce exposure. Monitoring for unusual network activity related to proxying or DNS tampering is advisable. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Affected Countries
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/","fetched":true,"fetchedAt":"2026-06-21T16:49:35.632Z","wordCount":743}
Threat ID: 6a381629eed863c81e13ce3c
Added to database: 06/21/2026, 16:49:45 UTC
Last enriched: 06/21/2026, 16:49:51 UTC
Last updated: 06/22/2026, 04:14:34 UTC
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.