InfoSecBulletin Cybersecurity for mankind
AryStinger has taken control of over 4,000 old D-Link routers to use them as proxies for harmful traffic. The team at Qianxin’s XLab says that the malware turns infected devices into remote “executors.” These devices can scan, proxy, tunnel, run commands, and do other tasks for the attacker.
“The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” XLab researchers note.
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
“With this distributed-like design, the attacker can efficiently complete the early “footprinting” activities, thereby providing strong assurance for the smoothness and success rate of subsequent intrusion operations.”
The malware can change DNS settings, control the user’s browsing, and quietly watch all incoming and outgoing network traffic, possibly stealing information.
AryStinger uses old weaknesses like CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. It mostly attacks D-Link DIR-850L and D-Link DIR-818LW routers.
The two router models were attacked by the AVrecon malware botnet that Lumen stopped in 2023.
Qianxin’s data shows that nearly half of all infections are in South Korea (48.5%). China is next at (31.8%), followed by Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).
XLab researchers discovered two types of AryStinger malware: one written in C that mainly affects old routers, and another in Go that targets NAS systems but has a much smaller impact for now.
The NAS version is the better one of the two. It has extra features like IP and DNS scanning, running commands, executing payloads, and checking internal networks using open-source testing tools.
The researchers said that AryStinger’s DNS-scanning system might be used to create many DNS queries to resolvers, but they did not see any attacks like that.
XLab says the NAS version can run Shell commands and supports Go, Java, and Python code.
Source code has some downsides compared to compiled binaries. Compiling needs language runtimes on the host, and the whole process can create noise that makes stealth harder.
The researchers did not attribute AryStinger to any known activity cluster, stating that “many mysteries surrounding AryStinger remain to be solved.”
Owners of old routers should get new ones that are still supported, install the latest updates, change the default admin password, and turn off remote management panels.
