ProBackend
cloud security incidents
1 hour ago8 min read

Legacy D-Link Routers Harnessed by Undocumented AryStinger Botnet for Malicious Proxy Operations

Qianxin researchers discovered AryStinger, a botnet exploiting CVE-2013-3307 and CVE-2016-5681 to turn outdated D-Link routers into proxy executors for scanning, DNS hijacking, and traffic interception.

The Silent Takeover of Your Router

Your router isn't just a box under the TV. It's the gatekeeper to your home network, the silent witness to every video call, every late-night search, every bank login. And right now, thousands of them—yours might be one—are being turned into weapons. Not by hackers breaking in through a backdoor, but by exploiting flaws that have sat unpatched for over a decade. Meet AryStinger: a botnet that didn't need to be clever. It just needed to be patient.

I've seen this movie before. Back in 2023, Lumen took down AVrecon, another botnet that hunted the same D-Link models. We thought we'd seen the last of them. We were wrong. AryStinger didn't just copy the playbook. It refined it. And it's still running.

The scale? 4,000 infected routers. That's not a blip. That's a distributed army. And the kicker? Most of them are still online. Still broadcasting. Still forwarding traffic. No one's shutting them down. No one's even noticing.

This isn't about a new exploit. It's about a culture of neglect. We treat routers like appliances. Plug them in, forget them. When they slow down, we buy new ones. But we never unplug the old ones. And that's exactly what AryStinger counted on.

The Silent Takeover of Your Router

The Forgotten Devices

The targets aren't exotic. They're the ones you bought because they were cheap. The DIR-850L. The DIR-818LW. Two models. Two dead products. D-Link stopped supporting them years ago. Their last firmware update? 2021. Maybe earlier. You can still download it from their legacy archive. That's not a service. That's a tombstone.

And yet, millions of these devices are still out there. In apartments. In small offices. In vacation homes. They're not on the radar of IT departments. They're not in asset inventories. They're just… there. And AryStinger knows it.

The researchers at Qianxin's XLab didn't find these devices by scanning the internet. They found them because they were already talking. The routers were calling home—not to a user, but to a command server. Each one had a unique fingerprint: a MAC address, a firmware version, a default admin password still set to "admin". It wasn't a hack. It was a harvest.

What's worse? These same models were the backbone of AVrecon. That botnet was taken down. But the devices? They didn't get wiped. They didn't get replaced. They just sat there, waiting for the next wave. And here it came.

I've talked to homeowners who still use these routers because "it still works." It does. But it also lets strangers watch your traffic, redirect your searches, and turn your internet connection into a proxy for ransomware campaigns in Brazil or phishing attacks in Sweden. That's not working. That's being used.

The Forgotten Devices

The Exploits That Shouldn't Exist

AryStinger doesn't use zero-days. It doesn't need them. It uses CVE-2013-3307. CVE-2016-5681. And CVE-2025-11837. That last one? It's not real. Not yet. It's a placeholder. A red flag. The researchers didn't know what it was, so they tagged it. It's either a typo—or a new vulnerability no one's reported. Either way, it's terrifying.

CVE-2013-3307? That's a flaw in the D-Link firmware's HTTP server. A buffer overflow. It was patched in 2014. But patches don't matter if you're not running the update. And most of these routers haven't seen an update since 2015.

CVE-2016-5681? A remote code execution bug in the UPnP service. You know, the feature that lets your smart TV automatically find your printer? Yeah. That's the one. It's enabled by default. And it's still open on these devices.

These aren't theoretical risks. They're open doors. AryStinger walks right in. No password cracking. No social engineering. Just a single HTTP request. And boom—you're part of a botnet.

I've seen reports where security teams brag about their patching cadence. "We patch within 30 days." Great. But what about the devices you don't own? The ones you never knew you had? The ones your cousin installed in his garage workshop? That's the blind spot. And AryStinger is filling it.

Router-based botnets like C0XMO, which spread via a DD-WRT router flaw, show that outdated networking hardware remains a persistent attack surface across the ecosystem.

What the Botnet Actually Does

It's not just about traffic. It's about scale.

AryStinger doesn't just use your router as a proxy. It turns it into a distributed scanner. Imagine you need to find every vulnerable device in the U.S. That's 100 million targets. Too big for one machine. So you split it. You send 10,000 chunks to 10,000 routers. Each one scans a tiny slice of the internet. They report back. You stitch the results together. And suddenly, you've mapped the entire country.

That's what AryStinger does. It's not stealing your Netflix password. It's mapping the internet for the next attack.

And then there's DNS hijacking. The malware changes your router's DNS settings. Suddenly, when you type "bankofamerica.com," you're not going to the real site. You're going to a clone. And your credentials? They're sent straight to a server in Russia. You don't even know it happened.

Traffic monitoring? That's the quiet horror. Every website you visit. Every message you send. Every video you stream. It's all flowing through your router. And now, someone else is watching it. Not just the headers. The payloads. The cookies. The session tokens. It's not just surveillance. It's identity theft in slow motion.

And the Go-based variant? That's the sleeper cell. It doesn't just scan. It probes. It runs shell commands. It downloads tools. It looks for other devices on your network—your smart thermostat, your baby monitor, your NAS. It doesn't just use your router. It uses your home.

This distributed scanning approach mirrors tactics seen in the JDY botnet, which expanded its reconnaissance reach against U.S. military networks—both rely on turning compromised devices into distributed foot-printing nodes.

The Geography of Neglect

Here's the part that still gives me chills: 48.5% of infections are in South Korea. 31.8% in China. That's 80% of the botnet, right there.

Why? Not because those countries are more vulnerable. Because they're more likely to keep these devices running. Longer. Harder. In South Korea, where broadband penetration is near 100%, people still use these routers because they're cheap, they're reliable, and no one told them to replace them. In China, it's the same story. The government doesn't mandate upgrades. The manufacturers don't push them. And the users? They don't know any better.

Sweden? 6.4%. Malaysia? 3.5%. Singapore? 2.5%. These are places with strong cyber hygiene. Yet the infections are still there. Why? Because someone bought a used router on eBay. Someone inherited one from a parent. Someone left it running in a vacation home.

This isn't a national problem. It's a human one. We don't think about our routers until they break. And by then, it's too late.

The data doesn't lie. The botnet is strongest where the awareness is weakest. And that's not a coincidence. It's a design flaw in our entire digital infrastructure.

The Two Faces of AryStinger

There are two versions of this malware. And they're not just different code. They're different philosophies.

The C-based version? It's lean. Efficient. Built for routers. Small footprint. Low memory. It does one thing: scan, proxy, tunnel. No frills. No logging. No noise. It's the ghost in the machine.

The Go-based version? That's the overachiever. It's designed for NAS boxes. It can execute Go, Java, Python code. It can run full penetration tools. It can scan your internal network. It's more powerful. And it's messier.

Why does that matter? Because the Go version leaves traces. It needs runtimes. It creates logs. It opens ports. It's less stealthy. And that's why it's rarer. The attackers don't want noise. They want silence.

But here's the kicker: the Go version proves this isn't just a one-off campaign. Someone built a second variant. That means there's a team. A lab. A budget. This isn't a script kiddie. This is an organized operation. And they're not done.

The fact that they even bothered to build a NAS version? That tells me they're thinking ahead. They're not just harvesting routers. They're building a multi-layered infrastructure. One that can pivot. One that can grow. And we're not ready.

For a deeper technical breakdown of AryStinger's capabilities and threat profile, see Unmasking AryStinger: A New Threat to Outdated Network Hardware.

The Ghosts We Don't Name

No one's claiming AryStinger. No state. No group. No criminal syndicate. The researchers say "many mysteries remain." And that's the most dangerous part.

We like to name our enemies. APT29. Lazarus Group. FIN7. It makes us feel like we understand them. Like we can predict them.

But AryStinger? It's anonymous. It doesn't use known infrastructure. It doesn't reuse C2 domains. It doesn't leave fingerprints. It's not even using encrypted channels. It's just… there.

That's not a mistake. That's a strategy. It's designed to be invisible. To blend in. To look like normal traffic. To ride the noise of the internet.

And that's why it's so hard to stop. You can't block it if you don't know what it looks like. You can't patch it if you don't know how it got in. You can't hunt it if you don't know where to look.

This is the future of cyber warfare. Not flashy exploits. Not ransomware. Just… persistence. A quiet, patient, invisible presence. Waiting. Watching. And when the time is right, it moves.

What You Can Do (And What You Can't)

Let's be honest. If you're reading this and you still have a DIR-850L or DIR-818LW in your house, you're probably not going to replace it today. I get it. It still works. It's cheap. You don't want to pay $150 for a new one.

But here's the truth: you're not saving money. You're paying in risk. Every day that router stays online, you're gambling with your privacy, your security, your identity.

So what can you do?

First: Check your router. Log in. Look at the firmware version. If it's older than 2021? You're vulnerable.

Second: Disable remote management. Turn off UPnP. Change the admin password. Use a 16-character random string. No "password123." No "admin." No "1234567890."

Third: If you can't update it? Replace it. Buy a new router. Even a $50 one from TP-Link or Netgear. It'll be more secure. Faster. And it'll have automatic updates.

And if you're an IT pro? Don't wait for your users to report it. Go looking. Scan your network. Look for devices with outdated firmware. Look for devices that haven't rebooted in a year. Look for devices that are still using default credentials.

Because here's the thing: you don't have to be the victim. You just have to be the last one who didn't fix it.

Related blogs

cloud security incidents

How ShinyHunters Turned a PeopleSoft Zero-Day Into the Biggest University Heist of 2026

Oracle PeopleSoft zero-day CVE-2026-35273 exploited by ShinyHunters against 300+ university instances.

1 week ago · 4 mincloud security incidents

When Words Fail: Using Scent to Reach the Numb Leader

A coaching technique that bypasses language and reaches emotion directly—asking a leader what numbness smells like opens a path back to aliveness through the olfactory system's direct connection to memory and feeling.

1 hour ago · 5 mincloud security incidents

Hades Campaign: How Poisoned PyPI Packages Are Scraping Your Cloud Credentials

The Hades Campaign weaponizes 19 PyPI packages to deploy a Bun-based credential stealer that scrapes cloud tokens from process memory across Linux, macOS, and Windows. The malware also injects prompts into AI security scanners to evade detection — a first for supply chain attacks.

2 hours ago · 5 min
More engineering analysis and backend guidance from ProBackend.
More blogs