AryStinger Botnet Turns Outdated Routers into Proxy Nodes for Cyberattacks

A previously unknown malware botnet named AryStinger has silently compromised more than 4,000 routers worldwide, converting outdated devices into remotely controlled proxy nodes that relay malicious traffic and perform reconnaissance on behalf of attackers. Security researchers tracking the campaign say AryStinger can split large scanning tasks across many infected routers, allowing threat actors to map networks, tunnel through firewalls, and intercept unencrypted web traffic without triggering alarms on the victim’s premises. The discovery highlights how legacy hardware—especially widely deployed consumer routers—remains a prime target for botnet operators seeking cheap, distributed infrastructure for early-stage intrusions.

The attackers do not need to breach high-value servers directly. Instead, they exploit long-fixed vulnerabilities in popular D-Link models such as the DIR-850L and DIR-818LW, devices that many owners stopped updating years ago. Once inside, AryStinger rewrites DNS settings to reroute user requests to malicious domains, silently captures all inbound and outbound traffic, and can execute arbitrary commands on the router itself. Telemetry shows nearly half of the infections are concentrated in South Korea, followed by China, Sweden, Malaysia, and Singapore, indicating a geographically uneven but expanding footprint.

How AryStinger Operates: From Infection to Proxy Execution

AryStinger spreads by targeting known weaknesses in embedded firmware, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. These CVEs have public patches, but many users never install firmware updates, leaving devices exposed for years. After exploitation, the malware installs a lightweight agent that registers the router with a remote command-and-control (C2) server. The C2 then assigns tasks such as port scanning, DNS tunneling, or acting as a SOCKS proxy for data exfiltration.

A key innovation is AryStinger’s distributed execution model. Instead of running all reconnaissance from a single server, the botnet divides large jobs—like scanning an entire IP range—into smaller chunks and assigns each chunk to a different infected router. This parallelism speeds up reconnaissance while reducing the chance of detection on any single node. Researchers note that this approach mirrors tactics seen in other botnets, but AryStinger’s use of consumer routers rather than PCs or servers makes it harder to trace back to the operator.

Once a router is enrolled, attackers can pivot into internal networks. Because many home and small-office routers sit inside the perimeter, compromised devices can relay traffic into otherwise isolated segments, enabling lateral movement or credential harvesting without ever touching the target organization’s main firewall.

Two Malware Variants: C-Based for Routers, Go-Based for NAS Devices

Researchers have identified two variants of AryStinger. The primary strain is written in C and targets outdated routers, where it performs proxying, DNS hijacking, and basic command execution. A second, more advanced variant is written in Go and focuses on network-attached storage (NAS) systems, though it has a smaller footprint so far.

The Go-based version includes additional reconnaissance tools such as IP and DNS scanning, payload execution, and integration of open-source penetration testing utilities like Nmap and Metasploit modules. This suggests the operators are preparing for deeper intrusions, possibly targeting enterprise NAS devices that store sensitive data. While the number of NAS infections remains limited, the modular design indicates the malware can be upgraded quickly with new capabilities.

Notably, researchers observed that the distributed DNS-scanning infrastructure could theoretically generate large volumes of queries against upstream resolvers, potentially enabling denial-of-service or cache poisoning attacks. Although such activity has not yet been detected, the architecture is in place to support it at scale.

Why Consumer Routers Remain a Botnet Favorite

Consumer-grade routers are attractive to botnet operators for several reasons. First, they are rarely patched after initial deployment, leaving known vulnerabilities open for years. Second, their high-bandwidth, always-on connections provide reliable relay points for tunneling traffic. Third, their limited onboard resources mean security software is rarely installed, making detection difficult.

The D-Link models targeted by AryStinger were also exploited by the AVrecon botnet, which was disrupted in 2023. That earlier campaign primarily used compromised routers for residential proxy services, selling access to cybercriminals. AryStinger appears to go further, using the same devices for active reconnaissance and traffic interception rather than just reselling bandwidth.

This pattern underscores a broader trend: as defenders harden servers and endpoints, attackers shift focus to the network edge—routers, modems, and IoT devices—where security practices lag behind. The result is a growing ecosystem of botnets that turn everyday hardware into silent proxies for cybercrime.

DNS Hijacking and Traffic Interception: Silent Risks for Users

Once AryStinger compromises a router, it can alter DNS settings to redirect user traffic to attacker-controlled domains. This technique, known as DNS hijacking, allows attackers to serve malicious content, harvest credentials, or inject ads without the user’s knowledge. Because the redirection happens at the network level, even devices on the local network—smartphones, tablets, smart TVs—can be affected.

In addition to DNS manipulation, AryStinger can silently monitor and log all unencrypted inbound and outbound traffic passing through the router. This includes emails, file transfers, and web sessions, creating a rich data source for credential theft or corporate espionage. Even encrypted traffic can be exposed if the attacker manipulates certificate settings or performs man-in-the-middle decryption on the device itself.

For home users, the risk is elevated if they rely on outdated routers for internet access. Many ISPs provide hardware that is rarely updated, and users often lack the technical skill or motivation to apply firmware patches manually. For small businesses, the stakes are higher: a compromised router can serve as a beachhead for attackers moving laterally into company servers, databases, or cloud accounts.

Detection and Mitigation: What Users and Admins Can Do

The most effective defense against AryStinger is to update router firmware immediately. Users should check the manufacturer’s support site for the latest patches, even for older models. If no updates are available, replacing the device is the safest option. Network administrators should also monitor DNS queries from edge devices for anomalies, such as sudden spikes in requests to unfamiliar domains.

Enterprises can deploy network detection tools that inspect traffic at the router level, looking for unusual proxy behavior or unauthorized command execution. Segmenting IoT and router traffic onto separate VLANs can limit lateral movement if a device is compromised. For NAS systems, disabling remote access unless absolutely necessary and enabling multi-factor authentication can reduce exposure to the Go-based variant.

Security teams should also review firewall logs for outbound connections from consumer-grade routers, which may indicate botnet activity. Automated scanning of internal IP ranges can help identify compromised devices before they are used for reconnaissance or data exfiltration.

The Broader Botnet Landscape: From AVrecon to AryStinger

AryStinger is the latest in a line of botnets that weaponize consumer and SOHO networking hardware. AVrecon, dismantled in 2023, used compromised routers to sell residential proxies to cybercriminals. Mozi and Mirai focused on IoT devices, while TrickBot and Emotet leveraged compromised endpoints for initial access. AryStinger’s distributed execution model and dual-variant design show how botnets are evolving from simple DDoS tools into full-spectrum attack platforms.

What sets AryStinger apart is its focus on early-stage reconnaissance and traffic interception, rather than just monetizing bandwidth. By turning routers into stealthy proxies, attackers can map networks, harvest credentials, and move laterally with minimal risk of detection. This shift reflects a broader maturation of the cybercrime economy, where botnets are increasingly used for targeted intrusions rather than mass attacks.

What to Watch Next: DNS Abuse and NAS Targeting

While AryStinger’s current activity centers on proxying and traffic interception, researchers warn that its DNS-scanning infrastructure could be repurposed for large-scale DNS abuse. A coordinated campaign of query floods against upstream resolvers could disrupt services or poison caches, affecting entire regions. Similarly, the Go-based NAS variant, though currently limited in scope, signals an expansion into higher-value targets.

Organizations should prepare for the possibility of AryStinger or similar malware being used in supply-chain attacks, where compromised NAS devices serve as staging points for software updates or file shares laced with malware. Security teams should audit all network-attached storage devices, enforce least-privilege access, and monitor for unauthorized command execution.

For end users, the lesson is clear: outdated routers are not just slow or inconvenient—they are security liabilities. Replacing or updating them is one of the most cost-effective ways to reduce exposure to botnets like AryStinger.

Practical Steps to Stay Protected

1. Update firmware on all routers, modems, and NAS devices immediately. If no updates are available, consider replacing the hardware.
2. Change default admin passwords and disable remote management unless required.
3. Monitor DNS queries for unexpected domains or spikes in activity.
4. Segment IoT and router traffic on separate VLANs to limit lateral movement.
5. Enable multi-factor authentication on NAS and router admin interfaces.
6. Review firewall logs for outbound connections from consumer-grade devices.
7. Deploy network detection tools that can flag proxy behavior or unauthorized command execution.
8. Educate users and employees about the risks of outdated networking hardware.

AryStinger’s rise is a reminder that the internet’s edge remains a soft underbelly. As long as millions of routers and NAS devices run unpatched software, botnets will continue to recruit them as silent proxies. The only effective countermeasure is proactive patching, vigilant monitoring, and a willingness to retire outdated hardware before it becomes a weapon against you.