← All articles

AryStinger botnet hijacks thousands of outdated D-Link routers as proxies

Researchers at XLab have documented a previously unknown botnet called AryStinger that has taken over more than 4,000 outdated routers, mostly D-Link DIR-850L and DIR-818LW models, and turned them into proxies for malicious traffic. It spreads by exploiting old, unpatched vulnerabilities and can scan networks, tunnel and proxy traffic, run commands, and tamper with DNS settings to hijack users' browsing. A more advanced Go-based variant targets NAS devices and adds internal network reconnaissance using open-source pentest tools. Infections cluster in South Korea and China but reach Sweden and Southeast Asia too. The compromised devices are end-of-life and will not receive fixes.

Check
Identify end-of-life D-Link routers and internet-exposed NAS devices on your networks, check for unexpected DNS settings, outbound proxy or tunneling traffic, and signs of remote command execution or scanning.
Affected
Outdated, end-of-life D-Link routers (notably DIR-850L and DIR-818LW) and exposed NAS devices running unpatched firmware; tampered DNS can silently hijack browsing for every device behind the router.
Fix
Replace end-of-life routers with supported models, update firmware on NAS devices, change default credentials, disable remote management and internet-exposed admin interfaces, and reset DNS settings to trusted resolvers.