AryStinger Botnet Turns Old D-Link Routers Into Attack Proxies

by Emma Davis
2 hours ago

AryStinger malware has compromised more than 4,300 legacy routers, mostly D-Link DIR-850L devices, for scanning, tunneling, and proxying attacks.

A newly documented malware family called AryStinger is turning unsupported home and small-office routers into attacker-controlled proxy and reconnaissance nodes. QiAnXin XLab said it has counted more than 4,300 infected RTL819X-class routers worldwide, with D-Link devices making up most of the measured pool and DIR-850L alone accounting for roughly three quarters of identified infections.[1]

The story matters because AryStinger is not just another noisy DDoS botnet. XLab describes the infected devices as “Executors” that can receive scanning jobs, forward traffic, run commands, and help an operator hide behind someone else’s network. That makes an old router useful before the real intrusion begins: it can enumerate services, probe domains, relay traffic, and make the next stage harder to trace.[1]

XLab first observed the campaign on March 12, 2026, when a server at 107.150.106.14 was spreading a Linux ELF sample through old bugs tracked as CVE-2013-3307 and CVE-2016-5681. Those flaws affect older Linksys and D-Link router families, respectively. A related Go-based AryStinger strain was later captured on April 26 targeting NAS devices through CVE-2025-11837, but XLab said the 4,300-device count only covers the RTL819X router infections.[1]

The router-focused version is deliberately lean because the hardware is old. The more capable NAS-oriented version adds internal scanning, HTTP checks, source-level payload execution in Go, Java, and Python, and tunneling support. BleepingComputer summarized the risk plainly: compromised routers can be used as springboards for malicious operations, and XLab warned they can also tamper with DNS or silently monitor inbound and outbound traffic.[2]

Owners of D-Link gear should pay special attention. XLab’s measured infection pool is concentrated in South Korea and China, with smaller shares in Sweden, Malaysia, and Singapore, but the vulnerable router model list is not geographically limited. D-Link’s own legacy-products page says unsupported devices no longer receive development resources and should be retired in favor of models that still get firmware updates.[3] The company’s older CVE-2016-5681 notice also lists affected DIR models and fixed firmware for several revisions, including DIR-850L Rev. B1 and DIR-818LW Rev. Bx.[4]

If you administer a small network, treat this as a gateway hygiene issue rather than a Windows malware cleanup. First, identify the router model and firmware revision. If the device is end-of-life, replacement is safer than trying to nurse it forward. If it is still supported, install the latest vendor firmware, change the administrator password, disable internet-facing remote management, and review whether UPnP or port-forwarding rules are exposing services unnecessarily.

How to check for AryStinger signs

XLab’s public indicators give defenders a short checklist. Look for unexpected communication with AryStinger infrastructure such as opi7.com, eixfi.ajb8.com, hgodpcx.ajb8.com, hgodpcx.auq8.com, sdkv1.dataexplore.cc, or sdkv1.dataexplore.co. On devices where shell access is available, check for suspicious files under /tmp/bin and processes named syswapd0h or syswapd0w.[1] A normal home router should not be running an unfamiliar Dropbear service or acting as a tunnel endpoint.

The practical lesson is similar to recent router-botnet cases. HowToFix.guide recently covered the C0XMO Gafgyt botnet exploiting DD-WRT routers and the Dutch takedown of a 17-million-device proxy botnet. Older D-Link equipment has also been abused before, including the Mozi botnet campaigns against Netgear, D-Link, and Huawei routers. AryStinger is a fresh name, but the failure pattern is familiar: unsupported edge devices keep becoming someone else’s infrastructure.

For households, the fastest safe response is to replace unsupported routers and reconfigure Wi-Fi from a clean admin password. For small businesses, also check firewall logs, DNS resolver logs, outbound proxy alerts, and any unexplained scanning from the office IP range. If a router was exposed to the internet and shows AryStinger indicators, assume the gateway was hostile and rotate credentials used from that network, especially admin panels and VPN accounts.

References

  1. QiAnXin XLab, “More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers,” June 17, 2026.
  2. BleepingComputer, “AryStinger botnet infected thousands of D-Link routers worldwide,” June 21, 2026.
  3. D-Link Systems, Legacy Products, accessed June 22, 2026.
  4. D-Link, “CVE-2016-5681 – VU#332115 – Some D-Link routers are vulnerable to buffer overflow exploit,” August 30, 2016.
  5. Tenable, CVE-2013-3307 vulnerability summary.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment