CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

AryStinger Botnet Converts Legacy Routers to Global Proxies

Data Breach Today Archived Jun 23, 2026 ✓ Full text saved

Research Links 4,300 End-of-Life D-Link Routers to Attack Staging The AryStinger botnet is exploiting decade-old vulnerabilities in outdated and unsupported routers, turning aging devices into a proxy network for scanning targets, hiding threat actor activity and laying the groundwork for future cyberattacks

Full text archived locally
✦ AI Summary · Claude Sonnet


    Endpoint Security AryStinger Botnet Converts Legacy Routers to Global Proxies Research Links 4,300 End-of-Life D-Link Routers to Attack Staging Greg Sirico • June 22, 2026     Credit Eligible Get Permission Image: Lutsenko Oleksandr/Shutterstock Operators behind a recently discovered botnet dubbed AryStinger are attacking thousands of aging routers worldwide, using the outdated hardware for distributed reconnaissance, proxying and future attack campaigns. See Also: The Machine Knows You're Vulnerable. Do You? Researchers from XLab - QiAnXin Technology's threat intelligence arm - said the botnet has infected at least 4,300 routers. That number is expected to increase as researchers continue to better understand the botnet's lifecycle and favored attack path. AryStinger's current target includes outdated D-Link routers built on Realtek RTL819x chipsets, whose router heyday ran from 2012 to 2015. XLab researchers starting March 12 saw the botnet spread from a single IP, 107.150.106.14, pushing a VirusTotal zero detection Linux ELF sample through two, near decade old vulnerabilities: CVE-2013-3307, affecting Linksys models, and CVE-2016-5681, affecting D-Link models. Unlike typical router botnets, which launch DDoS attacks, AryStinger acts as the reconnaissance and proxy network before threat actors prompt attacks, helping to establish a foothold in consumer networks before escalation. Infected routers can scan the internet for targets, identify exposed services or entry points, enumerate subdomains and tunnel through traffic, executing operator commands. XLab said the botnet's covert infrastructure allows threat actors to obfuscate their true locations while information gathering on future targets. Researchers compared AryStinger's capability to if threat actors embedded a "permanent 'invisible listening device' and 'attack springboard'" within consumer networks. The botnet's primary target is D-Link hardware, specifically the DIR-850L and DIR-818LW, which have both reached end-of-life status. The bulk of affected models are in South Korea and China. Using decade old vulnerabilities, AryStinger gains initial access and establishes persistence. The malware then installs a SSH backdoor, modifying configurations to maintain long-term control. Researchers observed the second AryStinger variant on April 26, targeting QNAP network-connected storage devices through CVE-2025-11837 - a now patched code injection flaw in QNAP's Malware Remover application.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗