AryStinger Botnet Converts Legacy Routers to Global Proxies
Data Breach TodayArchived Jun 23, 2026✓ Full text saved
Research Links 4,300 End-of-Life D-Link Routers to Attack Staging The AryStinger botnet is exploiting decade-old vulnerabilities in outdated and unsupported routers, turning aging devices into a proxy network for scanning targets, hiding threat actor activity and laying the groundwork for future cyberattacks
Full text archived locally
✦ AI Summary· Claude Sonnet
Endpoint Security
AryStinger Botnet Converts Legacy Routers to Global Proxies
Research Links 4,300 End-of-Life D-Link Routers to Attack Staging
Greg Sirico • June 22, 2026
Credit Eligible
Get Permission
Image: Lutsenko Oleksandr/Shutterstock
Operators behind a recently discovered botnet dubbed AryStinger are attacking thousands of aging routers worldwide, using the outdated hardware for distributed reconnaissance, proxying and future attack campaigns.
See Also: The Machine Knows You're Vulnerable. Do You?
Researchers from XLab - QiAnXin Technology's threat intelligence arm - said the botnet has infected at least 4,300 routers. That number is expected to increase as researchers continue to better understand the botnet's lifecycle and favored attack path. AryStinger's current target includes outdated D-Link routers built on Realtek RTL819x chipsets, whose router heyday ran from 2012 to 2015.
XLab researchers starting March 12 saw the botnet spread from a single IP, 107.150.106.14, pushing a VirusTotal zero detection Linux ELF sample through two, near decade old vulnerabilities: CVE-2013-3307, affecting Linksys models, and CVE-2016-5681, affecting D-Link models.
Unlike typical router botnets, which launch DDoS attacks, AryStinger acts as the reconnaissance and proxy network before threat actors prompt attacks, helping to establish a foothold in consumer networks before escalation.
Infected routers can scan the internet for targets, identify exposed services or entry points, enumerate subdomains and tunnel through traffic, executing operator commands. XLab said the botnet's covert infrastructure allows threat actors to obfuscate their true locations while information gathering on future targets.
Researchers compared AryStinger's capability to if threat actors embedded a "permanent 'invisible listening device' and 'attack springboard'" within consumer networks.
The botnet's primary target is D-Link hardware, specifically the DIR-850L and DIR-818LW, which have both reached end-of-life status. The bulk of affected models are in South Korea and China.
Using decade old vulnerabilities, AryStinger gains initial access and establishes persistence. The malware then installs a SSH backdoor, modifying configurations to maintain long-term control.
Researchers observed the second AryStinger variant on April 26, targeting QNAP network-connected storage devices through CVE-2025-11837 - a now patched code injection flaw in QNAP's Malware Remover application.