Cybersecurity researchers have discovered a previously undocumented malware botnet called AryStinger that has infected more than 4,000 outdated routers worldwide.
According to researchers at Qianxin's XLab, the malware turns infected devices into remote-controlled systems that can be used for scanning networks, relaying malicious traffic, and carrying out attacks. This allows attackers to split large tasks across many infected devices.
AryStinger mainly targets older D-Link router models, including the DIR-850L and DIR-818LW, by exploiting known security flaws (CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837). Researchers warn that the malware can also change DNS settings, monitor internet traffic, and potentially steal sensitive data.
Nearly half of all known infections are located in South Korea, followed by China, Sweden, Malaysia, and Singapore.
Researchers found two versions of AryStinger, one of which is designed for routers, and the second is a more advanced variant that targets network-attached storage (NAS) devices. The NAS version can execute commands, scan networks, and run code written in several programming languages.