AryStinger Botnet Infected Thousands of D-Link Routers Worldwide

Security researchers have uncovered a new botnet campaign, dubbed AryStinger, that has quietly compromised more than 4,000 outdated D-Link routers worldwide. Rather than deploying ransomware or launching distributed denial-of-service attacks, the threat actors behind AryStinger are leveraging the infected devices as proxy nodes — funneling malicious traffic through residential and small business networks to obscure the origins of downstream attacks.

What Is AryStinger?

AryStinger is a previously undocumented malware botnet that specifically targets end-of-life D-Link router hardware. The botnet earns its name from its behavior: like a stinger missile, it is designed to be a precision, low-visibility tool that redirects and conceals attack traffic rather than causing direct damage to its victims.

The malware exploits known but unpatched vulnerabilities in older D-Link router firmware — devices that have long passed their end-of-support dates and will receive no official security fixes. Once a router is compromised, it becomes a transparent proxy: legitimate internet traffic passes through unaffected, while the botnet operators route their own traffic through the device to mask their true IP addresses.

Scale and Scope

Researchers identified:

• 4,000+ compromised D-Link routers across multiple countries
• Infections concentrated among home users and small businesses running outdated hardware
• Affected models include end-of-life D-Link devices no longer receiving firmware updates
• The botnet has been active for several months before detection

The infrastructure represents a classic residential proxy network — a category of tool highly valued by cybercriminals, nation-state actors, and fraud operators alike because traffic routed through residential IP addresses is far less likely to be blocked by IP reputation filters.

How Routers Are Compromised

AryStinger leverages a multi-stage infection process:

1. Automated scanning — bots continuously scan the internet for D-Link routers running vulnerable firmware versions
2. Exploitation — the malware exploits known, unpatched vulnerabilities in the router's web management interface or UPnP service
3. Payload delivery — a lightweight malware implant is installed in the router's writable memory
4. Proxy activation — the implant opens a port and registers the device with the AryStinger command-and-control infrastructure
5. Persistent operation — because the implant runs in the router's operating environment, it survives typical consumer troubleshooting steps like modem power cycles

The malware does not require any interaction from the router owner and leaves minimal traces visible to the average user.

Why End-of-Life Routers Are Prime Targets

The targeting of end-of-life (EoL) hardware is a deliberate strategy. D-Link has ceased issuing firmware updates for many of its older router models, meaning any vulnerabilities discovered after the support end date will permanently remain exploitable.

This creates a long-lived, stable attack surface that threat actors can exploit indefinitely without risk of patches disrupting their access. Researchers estimate there are tens of millions of EoL consumer routers still in active use globally, representing a persistent and largely unaddressed attack surface.

Who Is at Risk?

Users are most at risk if they:

• Own a D-Link router purchased before 2018 that has not received recent firmware updates
• Are running a router that shows "End of Support" on D-Link's website
• Have not changed the default admin credentials on their router
• Have remote management or UPnP enabled on their router

The compromise has no visible impact on internet performance in most cases, making detection without active monitoring essentially impossible for the average user.

Detection and Remediation

For affected users:

1. Check if your router model is EoL via D-Link's support portal
2. Replace EoL hardware — if your router is no longer supported, replacement is the only truly safe option
3. Disable remote management and UPnP — these services are common initial attack vectors
4. Change default credentials — use a strong, unique admin password
5. Perform a factory reset followed by immediate firmware update if a current update exists
6. Monitor outbound connections using your ISP's router management tools or a network monitoring solution

Broader Context

AryStinger is the latest in a pattern of botnets targeting consumer network hardware. Researchers have documented similar campaigns exploiting TP-Link, Netgear, Asus, and other consumer routers over the past several years. The common thread is exploitation of unpatched, end-of-life devices that will never receive security fixes.

Law enforcement agencies and internet service providers have increasingly focused on router botnet disruption as a priority, given the infrastructure's utility to threat actors ranging from cybercriminals to state-sponsored hacking groups.

Users who suspect their router may be compromised should contact their ISP and consider replacing the device with supported hardware running current firmware.