On June 21, 2026, Qianxin XLab researchers disclosed AryStinger, a previously undocumented botnet that has compromised over 4,000 end-of-life D-Link routers. The operation demonstrates that a device's end-of-life does not end the threat — it creates a de facto infrastructure pool for criminal operators.
- Over 4,000 D-Link DIR-850L and DIR-818LW routers compromised, per Qianxin XLab telemetry
- Botnet exploits three vulnerabilities — CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837 — on obsolete firmware that will never be updated
- "Executor" architecture parallelizes distributed footprinting by splitting scanning tasks into chunks
- South Korea and China account for 80.3% of infections; geographic distribution is not uniform
How AryStinger Builds Its Infrastructure
Qianxin XLab identified two malware variants. A C-based variant targets D-Link DIR-850L and DIR-818LW routers, both end-of-life. A second variant, written in Go, is designed for NAS devices and integrates open-source penetration testing tools. The source does not specify the scale of the NAS variant's spread or the exact models targeted.
The access vector exploits three vulnerabilities: CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The first dates back 13 years, the second 10, and the third is from the current year. This mix signals a strategy that does not rely on novelty but on the certainty that EoL devices will never be patched. The DIR-850L and DIR-818LW models were previously targeted by the AVrecon botnet, dismantled by Lumen in 2023.
Once established, the malware elevates the device to a proxy node with tunneling, command execution, DNS manipulation, and traffic monitoring capabilities. The ability to alter DNS settings enables hijacking of user browsing. Monitoring of inbound and outbound traffic potentially exposes every communication traversing the router.
The "Executor" Architecture and Distributed Scanning Model
The distinguishing component of AryStinger is its "Executor" design. The system breaks a large-scale scanning task into multiple smaller chunks and distributes them to different Executors for parallel execution.
"The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution" — Qianxin XLab researchers (via BleepingComputer)
According to the researchers, this distributed design "provides strong assurance for the smoothness and success rate of subsequent intrusion operations." The quote refers to initial footprinting activities: the botnet does not merely compromise devices but prepares the ground for downstream intrusions through systematic, parallelized reconnaissance.
The source does not specify who purchases or uses this proxy infrastructure, nor the ultimate objectives of the tunneled traffic. No infrastructure overlaps linking AryStinger operators to known threat clusters have emerged to date.
Infection Geography and Device Profile
The geographic distribution of infections is concentrated. Per Qianxin telemetry, nearly half of infections — 48.5% — reside in South Korea. China follows at 31.8%. Sweden, Malaysia, and Singapore round out the picture at 6.4%, 3.5%, and 2.5% respectively. The report does not clarify whether this concentration reflects prevalence of specific models, market dynamics, or deliberate operator choices.
The device profile — SOHO and small-business routers — indicates the attack surface is not critical infrastructure but residential and light professional connectivity endpoints. These devices typically lack dedicated security teams, continuous monitoring, and scheduled replacement procedures. Their compromise, however, creates downstream risk: all traversing traffic becomes potentially observable, and the compromised router can be repurposed as a platform for attacks against further targets.
What to Do Now
Users with D-Link DIR-850L or DIR-818LW routers must consider these devices unsafe for sensitive traffic. Replacement with vendor-supported hardware is the only definitive countermeasure, given the models are end-of-life and receive no firmware updates.
For those unable to replace the device immediately, network segmentation reduces exposure: isolate the EoL router in a separate subnet from systems handling sensitive data or financial operations. Monitoring outbound DNS traffic from the router allows anomaly detection: recurring queries to domains unrelated to usual services may signal DNS manipulation.
Organizations with heterogeneous device fleets must actively identify EoL models in their network inventory. The AryStinger incident demonstrates that CVE-2013-3307, known for 13 years, remains practically exploitable on unpatched hardware. The presence of CVE-2025-11837 in the exploit mix indicates operators also integrate newer vulnerabilities when available, making removal of unsupported devices even more urgent.
For ISPs in the most affected regions — particularly South Korea and China — anomalous outbound traffic from customer SOHO routers warrants attention. Patterns of distributed scanning or tunneling to non-canonical endpoints may reflect involuntary participation in the botnet.
Open Questions and Report Limitations
Fundamental questions remain unanswered in the XLab report. The dossier does not specify the exact start date of operations, operator identity, the ultimate purpose of the proxy traffic, the current infection status, or the existence of DDoS campaigns or other infrastructure abuse. As the researchers themselves note, "many mysteries surrounding AryStinger remain to be solved."
Regarding the NAS variant, the source does not clarify how many devices are involved or which brands or models are specifically targeted. The integration of open-source penetration testing tools in the Go variant nonetheless indicates a higher level of sophistication compared to the router botnet alone.
Information is based on the cited source and current as of publication.
Sources
- https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/binding-operational-directive-22-01
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog/reducing-significant-risk-known-exploited-vulnerabilities
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
- https://nvd.nist.gov/vuln/detail/CVE-2025-14733
- https://cisa.gov/known-exploited-vulnerabilities-catalog