AryStinger Botnet Hijacks 4,000 D-Link Routers as Proxy Network

Thousands of D-Link routers that manufacturers stopped supporting years ago are still plugged in around the world, and a newly documented botnet is making use of them. According to BleepingComputer, researchers at Qianxin's XLab threat intelligence team have disclosed AryStinger, a previously undocumented botnet that has compromised more than 4,000 routers, primarily D-Link DIR-850L and DIR-818LW models.

AryStinger exploits a combination of old and new vulnerabilities, including CVE-2013-3307 and CVE-2016-5681 alongside the more recent CVE-2025-11837. Once inside, the malware turns each device into what researchers call an "Executor," a remotely controlled node that can scan networks, proxy traffic, and tunnel connections on the operator's behalf. The attacker can "split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution," effectively turning a fleet of compromised consumer routers into a distributed reconnaissance platform.

The malware comes in two variants. The C-based version targets the older routers, while a Go-based variant focuses on NAS systems and carries more advanced capabilities. The Go version can tamper with DNS settings, "hijacking the user's browsing, and silently monitor and potentially steal all inbound and outbound network traffic," a risk that extends beyond the router owner to anyone sharing the same network.

Almost half of all infections are concentrated in South Korea (48.5%), with China accounting for another 31.8%, and smaller clusters in Sweden, Malaysia, and Singapore. What the reporting does not give you is attribution: XLab notes that "many mysteries surrounding AryStinger remain to be solved," and no known threat actor has been linked to the botnet. Whether it is being used for credential theft, DDoS staging, espionage, or some other purpose is not yet established.

The clearest near-term beneficiaries of the disclosure are network defenders and ISPs in affected regions, who now have specific CVEs and device models to prioritize in scans and customer advisories. For anyone still running an end-of-life D-Link router, the practical upshot is blunt: these devices are not going to receive patches, so replacement is the only reliable defense.