The AryStinger botnet has infected thousands of D-Link routers around the world

A previously illegal malware botnet called AryStinger compromised more than 4,000 outdated routers to proxies malicious traffic.

Researchers from Qianxin’s XLab threat intelligence team say the malware turns infected devices into remote-controlled “assassins” that can perform scanning, proxying, tuning, command execution, and other tasks on behalf of the attacker.

“An attacker can divide a large scan task into many small fragments and distribute them to different hosts so that they die in parallel,” XLab researchers noted.

“With this distribution-like design, an attacker can successfully complete early “printing” operations, thus providing a strong guarantee of the smoothness and success rate of subsequent intrusion operations.”

Besides using vulnerable routers as a base for malicious operations, XLab warns that the malware can also tamper with DNS settings, hijack user browsing, and silently monitor and potentially steal all incoming and outgoing network traffic.

AryStinger uses old flaws like CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, mainly targeting D-Link DIR-850L, D-Link DIR-818LW routers.

These two router models were previously targeted by the AVrecon malware botnet that Lumen’s communications services provider Lumen disrupted in 2023.

Qianxin’s telemetry data shows that almost half of all infections are found in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).

XLab researchers discovered two variants of the AryStinger malware: a C-based version that mainly targets outdated routers, and a Go-based one that focuses on NAS systems, but currently has very limited access.

The NAS version is the most advanced of the two, with additional capabilities such as IP and DNS scanning, command execution, payload execution, and internal network audits with the integration of open source penetration testing tools.

The researchers noted that AryStinger’s DNS scanning infrastructure could be repurposed to generate multiple DNS queries against resolvers, although they did not observe any such attacks.

As for the coding capabilities of the NAS version, XLab says there is support for Shell commands, as well as source code for Go, Java, and Python.

However, there are some limitations to using source code instead of binary compilation, as compilation requires language runtimes on the host, and the whole process introduces potentially disruptive noise.

The researchers did not say that the AryStinger is related to any set of known activities, saying that “many mysteries surrounding the AryStinger remain to be solved.”

Owners of end-of-life (EoL) routers should replace them with newer, fully supported models, use the latest available firmware updates, change the default administrator account password, and disable remote control panels.