Overview
A newly identified botnet named AryStinger has compromised more than 4,000 internet-connected devices, primarily targeting end-of-life D-Link routers and selected NAS systems. According to researchers at Qianxin XLab, the malware transforms vulnerable devices into remotely controlled “executors” that can be used to perform scanning, proxying, tunnelling, command execution, and other malicious activities on behalf of an attacker.
While botnets targeting consumer and small business routers are not new, AryStinger demonstrates how outdated infrastructure continues to provide threat actors with a reliable platform for launching attacks, conducting reconnaissance, and potentially intercepting network traffic.
The discovery serves as another reminder that unsupported networking equipment represents a significant security risk, particularly when exposed directly to the internet.
Technical Summary
AryStinger targets known vulnerabilities in older networking devices, focusing primarily on:
- D-Link DIR-850L routers
- D-Link DIR-818LW routers
Researchers identified two separate variants:
Router Variant (C-Based)
The primary version of AryStinger is written in C and targets outdated routers running vulnerable firmware.
Capabilities include:
- Distributed scanning
- Proxy services
- Traffic tunnelling
- Remote command execution
- DNS manipulation
- Traffic interception
NAS Variant (Go-Based)
A second variant written in Go targets Network Attached Storage (NAS) systems.
This version is currently less widespread but includes more advanced functionality such as:
- Internal network reconnaissance
- DNS and IP scanning
- Payload execution
- Remote command execution
- Integration with penetration testing tools
The researchers noted that this version can execute shell commands as well as Go, Java, and Python code, although successful execution depends on the required runtimes being present on the compromised device.
Vulnerability Breakdown
AryStinger exploits several known vulnerabilities affecting older devices:
| CVE | Description |
|---|---|
| CVE-2013-3307 | Legacy D-Link vulnerability |
| CVE-2016-5681 | Remote exploitation vulnerability |
| CVE-2025-11837 | Recently disclosed vulnerability affecting supported targets |
The malware’s success is largely attributed to organisations and consumers continuing to operate devices that have reached End-of-Life (EoL) status and no longer receive security updates.
Unlike zero-day attacks, AryStinger relies on weaknesses that have been publicly known for years, making the campaign particularly concerning from a risk management perspective.
Attack Flow
The attack process is relatively straightforward:
Step 1 – Identify Vulnerable Devices
Threat actors scan the internet for exposed D-Link routers and NAS systems running vulnerable firmware.
Step 2 – Exploit Known Vulnerabilities
Once identified, the attacker exploits one of the known vulnerabilities to gain access to the device.
Step 3 – Deploy AryStinger
The malware is installed and establishes communication with a Command-and-Control (C2) infrastructure.
Step 4 – Register as an Executor
The compromised device becomes part of the botnet and waits for instructions.
Step 5 – Perform Malicious Tasks
Depending on the operator’s objectives, the infected device may be used to:
- Scan external targets
- Route malicious traffic
- Proxy attacker communications
- Execute commands
- Gather intelligence
- Manipulate DNS traffic
The distributed nature of the botnet allows attackers to spread activity across thousands of devices, making detection and attribution significantly more difficult.
Global Impact
Qianxin’s telemetry indicates that infections are concentrated in:
| Country | Percentage |
|---|---|
| South Korea | 48.5% |
| China | 31.8% |
| Sweden | 6.4% |
| Malaysia | 3.5% |
| Singapore | 2.5% |
While the majority of infections are concentrated in Asia, any vulnerable device connected to the internet could potentially become a target.
Why DNS Manipulation Matters
One of the more concerning capabilities highlighted by researchers is AryStinger’s ability to modify DNS settings on infected devices.
For many organisations, DNS is often overlooked as a security control. However, a compromised router controlling DNS resolution can:
- Redirect users to malicious websites
- Intercept login credentials
- Monitor browsing activity
- Bypass security controls
- Facilitate phishing attacks
Because DNS requests are a fundamental part of internet communication, users may never realise their traffic is being redirected.
Defensive Recommendations
Organisations and home users should take immediate action if they are operating older networking equipment.
Replace End-of-Life Hardware
If a router or firewall no longer receives security updates from the manufacturer, replacement should be prioritised.
Apply Firmware Updates
Install the latest firmware available from the vendor.
Disable Remote Administration
Remote management interfaces should only be enabled when absolutely necessary and protected by strong authentication controls.
Change Default Credentials
Many attacks continue to succeed because default administrative passwords remain unchanged.
Segment Critical Systems
Routers, NAS devices, and IoT equipment should be isolated from critical business systems wherever possible.
Monitor DNS Activity
Unexpected DNS changes or unusual outbound DNS traffic may indicate compromise.
Review Internet-Facing Devices
Regularly identify and assess all externally exposed systems within the organisation.
Expert in the Cloud Insight
What makes AryStinger noteworthy is not the sophistication of the vulnerabilities being exploited, but the age of many of them.
The security industry often focuses on zero-day vulnerabilities and advanced attack techniques, yet campaigns like AryStinger continue to succeed by exploiting devices that should have been retired years ago.
For security architects and IT leaders, the lesson is straightforward: unsupported infrastructure eventually becomes a business risk. Every internet-facing device should have a defined lifecycle, patching process, and replacement strategy.
In many environments, routers, NAS appliances, and IoT devices receive far less attention than servers and endpoints. Threat actors understand this and increasingly target these systems because they often provide persistent access with minimal visibility.
The real issue is not the malware itself. The real issue is the number of organisations still relying on hardware that no longer receives security updates.
Good cybersecurity starts with visibility. You cannot secure what you do not know exists, and you cannot protect infrastructure that vendors no longer support.
Expert in the Cloud – The Future Is Now.
Leave a Reply