Bugs, News

Thousands of D-Link routers under control of AryStinger botnet

by Pieter Arntz | June 22, 2026
D-Link network
Add as a Preferred Source on Google

Researchers have found that the recently discovered AryStinger botnet has quietly hijacked thousands of end‑of‑life D‑Link routers and some network-attached storage (NAS) devices, turning them into a distributed scanning and proxy network that attackers can use to hide their activity and launch attacks against other targets. 

Having your devices under control of a botnet is not just a problem for the people being targeted. It can also put your own privacy and security at risk. 

The AryStinger botnet is mainly built on compromised D‑Link DIR‑850L and DIR‑818LW routers. Although these devices are long past end‑of‑life, they are still widely used in homes and small offices, making them attractive targets for botnet operators.

The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of routers. According to the researchers:

“At least 4,300 routers worldwide have already been infected, and the number is still continuously rising.”

By targeting routers that are no longer supported by the vendor, the attackers gain access to devices that will never receive security patches but remain connected to the internet.

AryStinger turns each infected device into what the researchers call an “Executor”: a remotely controlled node that can scan networks, act as a proxy, create tunnels, and run commands on behalf of the attacker.

The botnet’s controller splits large reconnaissance tasks into many smaller ones and distributes them across these Executors, effectively turning a fleet of consumer routers into a large-scale scanning platform.

The botnet’s primary purpose is reconnaissance at scale. The controller can:

  • Push scanning jobs (for IP ranges, open ports, DNS records) down to many Executors in parallel.
  • Use those results to map networks, identify new vulnerable services, and prepare further compromises (“footprinting”).

For owners of infected devices, a more worrying capability is AryStinger’s ability to tamper with DNS settings. This allows attackers to:

  • Redirect victims’ browser traffic to phishing pages or malware‑hosting sites.
  • Silently monitor and potentially steal all inbound and outbound network traffic passing through the router or NAS.

This can put otherwise well-protected devices at risk. Mobile phones, tablets, and laptops connected to the compromised router can be redirected as well.

How to tell if you’re impacted

For owners of an affected router or NAS, the immediate signs may be subtle or non‑existent. Possible indicators might be:

  • Slightly slower connectivity
  • Occasional unexplained DNS failures or redirects
  • Spikes in outbound traffic at odd times

But the underlying risks are serious enough:

  • Privacy: Attackers may be able to inspect or redirect your traffic, potentially capturing usernames, passwords, session cookies, or other sensitive data.
  • Liability and reputation: Your IP address could be used for fraud, credential‑stuffing, harassment, or other criminal activity, potentially attracting attention from service providers or law enforcement—something already seen in other proxy botnets.
  • Pivoting into your network: Particularly on compromised NAS devices, attackers may be able to map internal networks and look for additional systems to target.

What to do

This is not the first time attackers have built a botnet from abandoned networking equipment. Unfortunately, the most effective solution is also the least popular one: Replace end-of-life routers and NAS devices.

If that’s not an immediate option, there are some steps you can take to make your device harder to compromise:

  • Apply the latest firmware available for your device, even if it’s old, and review any vendor security advisories for known vulnerabilities.
  • Change the default administrator password to a unique, strong password or passphrase; never reuse passwords from other accounts.
  • Disable remote management from the internet (WAN). Only access the admin interface from inside your home or office network.
  • Use WPA2 or WPA3 wireless encryption and a strong Wi‑Fi password to reduce the chance of local abuse.
  • If your router supports it, turn off unused services such as UPnP on the WAN side or legacy remote access protocols.
  • Run an anti-malware scan on computers and other devices connected to the router to check whether any were separately infected while traffic was being tampered with.

Even if you apply all of these recommendations, an end-of-life router should be considered untrusted. Make plans to replace it as soon as you can.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

About the author

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

LATEST ARTICLES

Scams
Voicemail warning

Document delivery scams: What are they and what’s their goal?

June 22, 2026

A seemingly official voicemail turned out to be a scam. Learn how document delivery scams work and what to do if you receive one.

News
week in security

A week in security (June 15 – June 21)

June 22, 2026

A list of topics we covered in the week of June 15 to June 21 of 2026

News
Remote arrest SocGolish

Nearly 15,000 infected websites cleaned in SocGholish crackdown

June 19, 2026

Thousands of everyday websites were cleaned as part of a global operation targeting the malware network behind fake browser update scams.

Add as a Preferred Source on Google

Related articles

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams