AryStinger Botnet Hijacks 4,000+ D-Link Routers as Attack Proxies

Threat researchers at Qianxin's XLab have uncovered a previously undocumented botnet that has quietly compromised over 4,000 end-of-life D-Link routers worldwide. The malware, dubbed AryStinger, converts infected devices into a distributed proxy and reconnaissance network that attackers use to hide malicious traffic and map target networks.

The campaign primarily targets D-Link DIR-850L and DIR-818LW router models by exploiting vulnerabilities disclosed as far back as 2013. Despite being long past end-of-life, these devices remain widely deployed in homes and small offices across Asia. This infrastructure compromise adds to the growing roster of ransomware and malware operators seeking residential proxy networks to mask their operations.

Exploitation and Capabilities

AryStinger exploits three vulnerabilities to gain initial access: CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The combination of decade-old bugs with a more recent flaw suggests the operators continuously update their toolkit to maximize infection rates.

Once compromised, routers become "executors" in a distributed architecture supporting multiple malicious operations:

• Scanning and reconnaissance — Parallel IP range scans, port probes, and DNS enumeration
• Proxy tunneling — Routing attacker traffic through legitimate residential IPs
• Command execution — Running arbitrary commands on infected devices
• DNS hijacking — Tampering with DNS settings to redirect victim traffic

The DNS hijacking capability is particularly concerning. Attackers can silently redirect browser traffic to phishing pages or malware-hosting sites while monitoring all network traffic passing through the compromised router. This technique has proven effective in similar campaigns targeting network infrastructure, though AryStinger targets consumer hardware rather than enterprise equipment.

Geographic Distribution

Qianxin's telemetry reveals heavily concentrated infections across East Asia:

• South Korea: 48.5%
• China: 31.8%
• Sweden: 6.4%
• Malaysia: 3.5%
• Singapore: 2.5%

The South Korea concentration stands out given the country's advanced internet infrastructure. Legacy routers persist even in technologically advanced markets when home users don't prioritize router replacement the way enterprises manage equipment lifecycles.

Technical Variants

XLab researchers identified two distinct malware variants targeting different device categories:

The C-based variant focuses on legacy routers, implementing core botnet functionality including the scanning, proxying, and command execution capabilities. This version optimizes for the limited resources available on aging consumer hardware.

A newer Go-based variant targets NAS systems with more sophisticated capabilities including penetration testing tool integration. The Go version currently shows far more limited deployment, suggesting active development or early-stage rollout.

Both variants implement domain generation algorithms for command-and-control discovery, making infrastructure takedowns difficult without access to the underlying seed values.

Attribution Unknown

Despite detailed technical analysis, XLab researchers stopped short of attributing AryStinger to any known threat actor group. The infrastructure and tooling don't match established IoT botnet operators, and the malware's focus on reconnaissance and proxying rather than DDoS or cryptomining suggests different operational goals than typical IoT malware.

The emphasis on building proxy infrastructure aligns with access broker business models. Criminal groups and nation-state actors alike pay for residential proxy networks to hide intrusion traffic behind legitimate IP addresses—similar to how Operation Endgame disrupted SocGholish infrastructure serving as a malware delivery network. AryStinger could be infrastructure-for-hire or purpose-built for specific campaign support.

Why End-of-Life Devices Matter

AryStinger highlights the persistent security risk from consumer devices that manufacturers no longer support. D-Link stopped issuing firmware updates for the affected models years ago, leaving the vulnerabilities permanently unpatched. The devices work fine for basic networking, so users have no immediate reason to replace them.

This creates a permanent pool of exploitable devices that attackers can harvest at will. Understanding how malware operates helps explain why attackers target these devices: they need persistent infrastructure that security teams struggle to detect. Organizations concerned about supply chain attacks should consider that their employees' home networks frequently include such devices—and those networks now connect to corporate resources more often thanks to remote work normalization.

Recommended Actions

1. Replace end-of-life routers — DIR-850L and DIR-818LW devices cannot be secured
2. Audit network equipment age — Establish replacement schedules before devices lose support
3. Monitor for unusual traffic — Look for scanning activity or unexpected outbound connections from router IP addresses
4. Segment IoT devices — Keep legacy devices on isolated network segments where possible

For organizations with distributed workforces, consider providing guidance or subsidies for home network equipment. The security of corporate data increasingly depends on infrastructure outside IT's direct control.