More than 4,000 D-Link routers running end-of-life firmware are now part of AryStinger, a botnet that turns them into remotely controlled executors for distributed scanning and proxying. Qianxin's XLab threat intelligence team found the malware exploiting three known CVEs: CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The primary targets: D-Link DIR-850L and DIR-818LW routers, the same models the AVrecon botnet hit before Lumen disrupted it in 2023.
Distributed Scanning at Scale
AryStinger splits large scanning tasks into small chunks and distributes them across infected devices for parallel execution. This distributed design lets attackers efficiently footprint networks before launching follow-on intrusions. Beyond proxying, the malware can hijack DNS settings, silently monitor all inbound and outbound traffic, and potentially steal credentials.
Two Variants, Two Target Sets
XLab identified a C-based variant targeting outdated routers and a Go-based variant focused on NAS systems. The Go version is more advanced: it includes IP and DNS scanning, command execution, payload execution, and internal network reconnaissance via integration of open-source penetration testing tools. It also supports running Shell commands and Go, Java, and Python source code, though compiling on-device adds noise that can break stealth.
Geographic Concentration and Remediation
Qianxin's telemetry shows 48.5% of infections in South Korea, followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%). The researchers did not attribute AryStinger to any known group. If you still run a DIR-850L or DIR-818LW, assume it's compromised. Replace any end-of-life router with a supported model, update firmware to the latest available, change default admin credentials, and disable remote management. The distributed scanning infrastructure alone makes these devices a persistent threat.
Source: AryStinger botnet infected thousands of D-Link routers worldwide
Domain: bleepingcomputer.com
Comments load interactively on the live page.