AryStinger Botnet Compromises Over 4,300 D-Link Routers for Reconnaissance

The AryStinger botnet has infected more than 4,300 D-Link routers, specifically the DIR-850L and DIR-818LW models, which are no longer supported by the manufacturer. This malware, identified by researchers at Qianxin's XLab, converts compromised devices into reconnaissance tools that can perform scanning and proxying activities. It exploits vulnerabilities including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The majority of infections are reported in South Korea, followed by China and other countries. AryStinger's design allows attackers to efficiently conduct reconnaissance on potential targets, increasing the likelihood of successful intrusions. The botnet's activity began shortly after law enforcement disrupted a previous botnet, AVrecon, which targeted the same router models. Users are advised to replace outdated routers and apply security measures to mitigate risks.

Key Points: • AryStinger has infected over 4,300 outdated D-Link routers, primarily DIR-850L and DIR-818LW. • The malware exploits known vulnerabilities CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. • Infections are concentrated in South Korea (48.5%), with significant numbers in China and Sweden.