Skip to main content
TechnologyJun 22, 2026· 2 min read

AryStinger, the botnet that infects D-Link routers exploiting 13-year-old vulnerabilities

Last March, researchers from Qianxin XLab discovered a previously undocumented botnet, named AryStinger, which has already compromised at least 4,300 D-Link routers worldwide, turning them into nodes for reconnaissance, proxying, and attack campaigns. The count, detected by the QiAnXin Eagle Map mapping platform, is still growing and does not include NAS devices, for which there is currently no equivalent measurement method.

The most notable aspect is the starting arsenal. AryStinger leverages CVE-2013-3307 and CVE-2016-5681, vulnerabilities disclosed over thirteen years ago, to target D-Link routers with RTL819X chips, particularly the DIR-850L and DIR-818LW models. A third flaw, CVE-2025-11837, paves the way for NAS devices. The first sample emerged on March 12, when an IP disseminating ELF binaries was found to have zero detections on VirusTotal, and even today the associated samples and command servers have a very low detection rate on major antivirus engines.

Two Variants, Two Levels of Danger

AryStinger circulates in two forms. The router version, written in C for the RTL819X architecture, has limited functionalities to mass DNS resolution via massdns and tunneling, and installs dropbear, a lightweight SSH server, on port 2332 to ensure persistent remote access. The Standard version, written in Go and intended for NAS, is much richer: it integrates open-source penetration testing tools like fscan, ksubdomain, httpx, and Tlsx for internal network reconnaissance, uses gs-netcat as a backdoor, and supports the ScriptWork task, which executes shell commands and payloads in Go, Java, and Python at the source code level, without needing to compile binaries for each architecture.

Every infected device becomes an Executor. The command and control server fragments a large-scale scanning operation into subtasks assigned to different Executors, executed in parallel. Communication occurs via HTTP/HTTPS, with data serialized in Protobuf and encrypted in XOR with a hardcoded key, sh_#@!_2024_secret: that "2024" suggests that the activity may have begun as early as the year before the discovery.

On the compromised router, the malware can alter DNS settings to hijack navigation and silently monitor all incoming and outgoing traffic. The same distributed DNS scanning infrastructure, researchers note, could be repurposed to generate massive volumes of queries against resolvers, setting up a potential DDoS attack; so far, nothing of the sort has been observed.

The geographical distribution is unusual: leading is South Korea with 48.45% of infections, followed by China (31.82%), then Sweden, Malaysia, and Singapore with smaller shares. On the model front, the DIR-850L alone accounts for 75% of infections, ahead of the DIR-818LW at 13%. AryStinger has not been attributed to any known group, and since its discovery, over fifty samples of the two variants have been collected, with rapidly progressing version numbers: a sign of ongoing development.

In the complete technical analysis, accompanied by indicators of compromise and architectural details, XLab recommends replacing end-of-life routers with supported models, updating firmware, changing the administrator password, and disabling the remote management panel. Basic countermeasures remain against a threat that, for now, lives almost entirely on forgotten hardware.

Apple Watch Series 11 GPS + Cellular at €531.49: one of the most complete smartwatches for health and autonomyBobby Prince Has Died, the Composer Who Brought Music to Doom and Wolfenstein 3D