Published on June 21, 2026
AryStinger botnet infected thousands of D-Link routers worldwide
Severity
Medium
Detail
AryStinger is a newly identified malware botnet that has infected more than 4,000 outdated routers worldwide, mainly targeting D-Link DIR-850L and DIR-818LW devices. The malware turns infected routers into remotely controlled systems that attackers can use for malicious activities such as scanning, proxying, tunneling, command execution, and network reconnaissance. Most infections were reported in South Korea and China, with smaller numbers also seen in Sweden, Malaysia, and Singapore. The botnet also has a more advanced NAS-focused variant, although it currently appears to have limited reach compared to the router version.
How?
AryStinger infects outdated routers by exploiting known vulnerabilities in old or end-of-life D-Link devices. Once a router is compromised, the malware connects it to the attacker’s command-and-control infrastructure and turns it into an “executor.” This allows attackers to remotely send tasks to the infected router.
Instead of using one system to perform scanning or malicious activity, the attacker can divide a large task into smaller parts and distribute them across many infected routers. This makes the activity faster, harder to block, and harder to trace back to the real attacker. The infected routers can be used as proxies to hide attacker traffic, scan other targets, tunnel connections, execute commands, and support future intrusion attempts.
AryStinger may also tamper with DNS settings, which can redirect users to malicious websites or allow attackers to hijack browsing activity. Since the malware sits on the router, it may also monitor inbound and outbound network traffic passing through the device. This makes the infection risky not only for the router owner but also for any devices connected through the compromised network.
Recommendation
Organizations and users should replace any end-of-life D-Link routers with supported models and ensure all router firmware is updated to the latest available version. Default administrator passwords should be changed immediately, and remote management should be disabled if it is not required. Router DNS settings should also be reviewed for unauthorized changes, while suspected compromised devices should be rebooted, factory reset and reconfigured securely. Network activity should be monitored for unusual outbound connections, proxy activity, or signs of unauthorized access.
Source