Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Companies Are Making Claude and Codex Talk Like Cavemen to Stop AI’s Soaring Costs

    July 1, 2026

    County With 37 Data Centers Asks Schools to ‘Conserve Electricity’

    July 1, 2026

    Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses

    July 1, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»AryStinger botnet infected thousands of D-Link routers worldwide
    News

    AryStinger botnet infected thousands of D-Link routers worldwide

    adminBy adminJune 21, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Botnet

    A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic.

    Researchers at Qianxin’s XLab threat intelligence team say that the malware converts infected devices into remotely controlled “executors” that can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker.

    “The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” XLab researchers note.

    image

    “With this distributed-like design, the attacker can efficiently complete the early “footprinting” activities, thereby providing strong assurance for the smoothness and success rate of subsequent intrusion operations.”

    Apart from using compromised routers as a springboard for malicious operations, XLab warns that the malware can also tamper with DNS settings, hijacking the user’s browsing, and silently monitor and potentially steal all inbound and outbound network traffic.

    Server distributing AryStinger scan jobs
    Server distributing AryStinger scan jobs
    Source: XLab

    AryStinger exploits older flaws such as CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, targeting primarily D-Link DIR-850L, D-Link DIR-818LW routers.

    The two router models were previously targeted by the AVrecon malware botnet that Lumen communications services provider Lumen disrupted in 2023.

    Qianxin’s telemetry data shows that almost half of all infections are located in South Korea (48.5%), followed by China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).

    XLab researchers found two variants of the AryStinger malware: a C-based version targeting mostly outdated routers, and a Go-based one that focuses on NAS systems, but currently with a far more limited reach.

    Infected router establishing C2 communication
    Infected router establishing C2 communication
    Source: XLab

    The NAS version is the most advanced of the two, featuring additional capabilities such as IP and DNS scanning, command execution, payload execution, and internal network reconnaissance through the integration of open-source penetration testing tools.

    The researchers noted that AryStinger’s distributed DNS-scanning infrastructure could potentially be repurposed to generate large volumes of DNS queries against resolvers, although they did not observe any such attacks.

    Regarding the NAS version’s code execution capabilities, XLab says there’s support for Shell commands, as well as Go, Java, and Python source code.

    However, there are some limitations to using source code instead of compiled binaries, as compilation requires language runtimes on the host, and the process as a whole introduces noise that can break stealth.

    The researchers did not attribute AryStinger to any known activity cluster, stating that “many mysteries surrounding AryStinger remain to be solved.”

    Owners of end-of-life (EoL) routers should replace them with new, actively supported models, apply the latest available firmware updates, change the default administrator account password, and disable remote management panels.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous Articleいろんな質問、取り揃えてますよ🙋‍♀️
    Next Article HackTheBox – Nanocorp
    admin
    • Website

    Related Posts

    News

    Companies Are Making Claude and Codex Talk Like Cavemen to Stop AI’s Soaring Costs

    July 1, 2026
    News

    County With 37 Data Centers Asks Schools to ‘Conserve Electricity’

    July 1, 2026
    News

    Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses

    July 1, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    Companies Are Making Claude and Codex Talk Like Cavemen to Stop AI’s Soaring Costs

    July 1, 2026

    County With 37 Data Centers Asks Schools to ‘Conserve Electricity’

    July 1, 2026

    Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses

    July 1, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.