A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers. The malware is turning them into proxies for malicious traffic.
Researchers at Qianxin’s XLab threat intelligence team say the malware converts infected devices into remotely controlled executors. They can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker.
The attacker can split a massive scanning task into multiple small chunks and distribute them to different executors for parallel execution, XLab researchers note. With this distributed-like design, the attacker can efficiently complete early footprinting activities, providing strong assurance for the smoothness and success rate of subsequent intrusion operations.
Beyond using compromised routers as a springboard for attacks, AryStinger carries two additional capabilities that make it particularly dangerous for home and small business users. The malware can modify DNS configurations to intercept user web traffic. It can secretly monitor all network data flowing through infected devices. DNS hijacking is especially insidious because it redirects users to fraudulent versions of legitimate websites.
AryStinger exploits older vulnerabilities including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, targeting primarily D-Link DIR-850L and D-Link DIR-818LW routers. Both models were previously targeted by the AVrecon malware botnet that Lumen disrupted in 2023. The same routers falling to a new botnet three years after the previous one confirms that end-of-life hardware never truly becomes safe simply because one threat actor moves on.
Qianxin’s telemetry shows that almost half of all infections sit in South Korea at 48.5%, followed by China at 31.8%, Sweden at 6.4%, Malaysia at 3.5%, and Singapore at 2.5%.
XLab researchers found two variants of the malware: a C-based version targeting mostly outdated routers. The NAS variant carries more advanced capabilities including IP and DNS scanning, payload execution, and internal network reconnaissance through open-source penetration testing tools.
Researchers did not attribute AryStinger to any known activity cluster, stating that many mysteries surrounding AryStinger remain to be solved. Owners of end-of-life routers should replace them with new, actively supported models immediately. Apply the latest available firmware updates to any supported devices and change the default administrator account password. They should also disable remote management panels to reduce the attack surface.
