More than 4,000 D-Link routers are infected with the new AryStinger botnet

Cyber ​​security experts from the Qianxin XLab research group have recorded a wave of infections with a new malware called the AryStinger botnet. According to available data, the threat has already infected more than 4,000 legacy user routers worldwide, turning vulnerable network equipment into proxy servers to allow unwanted hacker internet traffic to pass through.

The malicious software discovered by the researchers is a well-thought-out destructive tool. The developers of the AryStinger botnet trained their system to intelligently break down resource-intensive network tasks into small computational tasks and dynamically redistribute them among many compromised routers for parallel processing. Such an optimized approach gives hackers a tangible advantage at the first stages of network penetration and significantly increases the chances of a successful hacking of infrastructure systems.

In addition to the usual organization of a network of transit proxy nodes, malicious software is also capable of secretly redefining the configuration of DNS addresses. By controlling and spoofing DNS, a botnet can impose fake web addresses, redirect people’s network requests, and silently monitor and steal any sensitive user information from inbound and outbound traffic streams.

Characteristics of network propagation scale

According to the system telemetry received by the experts, the scale of the deployment of the network is quite large and touches many geographical points, and the peak number of successful penetrations was recorded near Asia and some European countries.

Botnet infection statistics for different countries:

• South Korea – 48.5%
• China – 31.8%
• Sweden – 6.4%
• Malaysia – 3.5%
• Singapore – 2.5%

Vulnerabilities for AryStinger

Invasion of network components forms the basis of long-known software breaches. Attackers will exploit older security vulnerabilities, including CVE-2013-3307, CVE-2016-5681, and the more recent entry CVE-2025-11837.

Hacking vectors are completely focused on outdated modifications of household routers, namely the D-Link DIR-850L and DIR-818LW models. It is interesting that the mentioned versions of the routers were actively hacked by similar software under the AVrecon brand as early as 2023, the infrastructure of which was neutralized by the joint efforts of the Lumen IT company.

Software modifications: C vs Go

The researchers discovered the significant variability of the AryStinger tools, discovering the simultaneous operation of two autonomous types of architecture:

• Lightweight C-variant: is intended for simple user routers, which account for the main flurry of intrusions due to the limited power of the devices themselves. It quickly occupies the D-Link DIR-family devices.
• Sophisticated Go-modification (Golang): aimed at advanced network storage systems (NAS). It is distinguished by an increased pool of actions, in particular, a comprehensive analysis of the internal corporate network at the expense of open source tools of testers.

The largest Go variant includes built-in capabilities for deploying Java, Go, and Python scripts directly in the shell. On the other hand, the execution of the original script files, and not the easy compiled binary files, complicates the execution and produces extraneous network “noise”, which modern software monitors calculate a cyber attack much faster.

Protective measures

To avoid such an attack, it is recommended to take the following protective measures:

• If the device has long been out of the developer update phase, it is more rational to change the router to a fresh, modern model;
• Update system OS and microcode on available supported D-Link models;
• Do not leave the default factory administration account password;
• Completely disable the WAN panel of the external remote control of the router in the device configuration.