A previously undocumented botnet called AryStinger has compromised more than 4,000 outdated routers, turning them into remotely controlled proxies for scanning, tunneling, and command execution on behalf of attackers.
Researchers at Qianxin’s XLab found that the malware targets end-of-life D-Link DIR-850L and DIR-818LW routers, exploiting known vulnerabilities that were patched years ago. The botnet converts infected devices into executors that can perform distributed scanning tasks, proxy malicious traffic, tamper with DNS settings, and silently monitor network traffic.
Almost half of all infections are in South Korea at 48.5 percent, followed by China at 31.8 percent. Sweden, Malaysia, and Singapore round out the top five. The same router models were previously targeted by the AVrecon botnet that Lumen disrupted in 2023.
XLab found two variants of AryStinger. A C-based version targets outdated routers, while a more advanced Go-based variant focuses on NAS systems and includes IP scanning, DNS reconnaissance, and the ability to execute shell commands as well as Go, Java, and Python source code.
The researchers haven’t attributed AryStinger to any known threat group, saying many mysteries remain. Owners of older routers should replace them with supported models, apply firmware updates, change default passwords, and disable remote management panels.
