A previously undocumented malware botnet called AryStinger has infected more than 4,000 outdated D-Link routers, primarily DIR-850L and DIR-818LW models, converting them into remotely controlled proxies for malicious operations. The malware exploits older vulnerabilities including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, enabling attackers to distribute scanning tasks across infected devices for parallel execution, conduct DNS hijacking, and monitor network traffic. Nearly half of all infections are located in South Korea at 48.5 percent, followed by China at 31.8 percent, with additional infections in Sweden, Malaysia, and Singapore.
Two variants exist: a C-based version targeting outdated routers and a more advanced Go-based version focusing on NAS systems with additional capabilities including IP and DNS scanning, command execution, and internal network reconnaissance through integrated penetration testing tools. The NAS variant supports execution of Shell commands as well as Go, Java, and Python source code, though compilation requirements introduce stealth risks. Qianxin's XLab researchers noted the distributed infrastructure could potentially be repurposed for large-scale DNS amplification attacks.
The botnet shares the same router models previously targeted by the AVrecon malware botnet disrupted by Lumen in 2023. Owners of end-of-life routers are advised to replace them with actively supported models, apply the latest firmware updates, change default administrator passwords, and disable remote management panels. The researchers could not attribute AryStinger to any known threat actor, stating that many mysteries remain unsolved.
Read more...