Research Links 4,300 End-of-Life D-Link Routers to Attack Staging
In a recent revelation, the operators behind a newly identified botnet known as AryStinger have been exploiting a significant number of antiquated routers around the globe. These outdated devices are being hijacked for various malicious activities, including distributed reconnaissance, proxying, and preparations for future cyberattack campaigns, highlighting the ongoing vulnerabilities present in legacy technology.
Researchers from XLab, the threat intelligence division of QiAnXin Technology, reported that AryStinger has already compromised at least 4,300 routers. This number is expected to rise as investigation into the botnet’s behaviors and preferred methods of attack continues to unfold. Specifically, the botnet is targeting aging D-Link routers that utilize Realtek RTL819x chipsets, which were prevalent during the routers’ production flourish from 2012 to 2015. This alarming trend emphasizes the significant security risks posed by hardware that has long exceeded its useful lifespan.
The emergence of this botnet was first detected on March 12, when researchers noticed its expansion from a single IP address—107.150.106.14. The AryStinger botnet propagated a Linux ELF sample lacking any VirusTotal detection through two well-known vulnerabilities, CVE-2013-3307 and CVE-2016-5681, that affect Linksys and D-Link models respectively. This unusual method of propagation stands apart from more typical router botnets, which commonly resort to Distributed Denial of Service (DDoS) attacks.
Instead of immediately launching attacks, AryStinger functions primarily as a reconnaissance and proxy network. This modus operandi enables cybercriminals to establish a foothold within consumer networks, allowing for further escalation of their offensive measures. Infected routers are capable of scanning the internet for potential targets, identifying unsecured services or access points, and tunneling traffic to execute commands from the operators.
The researchers offered a compelling analogy to illustrate AryStinger’s capabilities, likening the botnet to an embedded "permanent ‘invisible listening device’ and ‘attack springboard’" within consumer networks. This analogy succinctly encapsulates the covert nature of the botnet’s operations and its potential to gather intelligence on future targets with alarming efficiency.
The primary hardware targeted by AryStinger includes the D-Link models DIR-850L and DIR-818LW, both of which are now considered to be end-of-life devices. A significant concentration of the infected routers is reported in South Korea and China. With their inherent vulnerabilities, these aging devices serve as soft targets for the botnet, reiterating the necessity for users to transition to newer, more secure equipment.
Exploiting decade-old vulnerabilities allows AryStinger to achieve initial access into these devices, establishing persistence for long-term control. Following the compromise, the malware installs an SSH backdoor, altering router configurations to ensure ongoing access. This manipulation of configurations underscores a growing need for awareness of the security implications associated with outdated hardware.
In an intriguing development, researchers observed a second variant of AryStinger on April 26, targeting QNAP network-connected storage devices through a distinct vulnerability identified as CVE-2025-11837. This flaw pertains to a now-patched code injection issue within QNAP’s Malware Remover application, indicating that the botnet’s creators are continuously searching for new avenues to expand their operations and influence.
This situation serves as a stark reminder of the importance of maintaining security protocols and upgrading obsolete devices regularly. As technology advances, it becomes crucial to ensure that devices are monitored for potential vulnerabilities, especially those that have exceeded their expected lifespan. The revelations surrounding the AryStinger botnet warn of the critical need for consumers to remain vigilant in their digital security practices.
As cyber threats evolve and mature, the responsibility lies not only with companies to improve their cybersecurity measures but also with consumers to understand the risks associated with outdated technology. The AryStinger botnet exemplifies how easily hackers can exploit neglect in cybersecurity, particularly through the channels presented by legacy hardware. It serves as a call to action for individuals and organizations alike to prioritize robust cybersecurity measures and awareness.