{“lastseen”:”2026-06-22T15:36:51″,”description”:”Researchers have found that the recently discovered AryStinger botnet has quietly hijacked thousands of end\u2011of\u2011life D\u2011Link routers and some network-attached storage (NAS) devices, turning them into a distributed scanning and proxy network that attackers can use to hide their activity and launch attacks against other targets. \\n\\nHaving your devices under control of a botnet is not just a problem for the people being targeted. It can also put your own privacy and security at risk. \\n\\nThe AryStinger botnet is mainly built on compromised D\u2011Link DIR\u2011850L and DIR\u2011818LW routers. Although these devices are long past end\u2011of\u2011life, they are still widely used in homes and small offices, making them attractive targets for botnet operators. \\n\\nThe attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of routers. According to the researchers:\\n\\n\\u003e \u201cAt least 4,300 routers worldwide have already been infected, and the number is still continuously rising.\u201d\\n\\nBy targeting routers that are no longer supported by the vendor, the attackers gain access to devices that will never receive security patches but remain connected to the internet.\\n\\nAryStinger turns each infected device into what the researchers call an \u201cExecutor\u201d: a remotely controlled node that can scan networks, act as a proxy, create tunnels, and run commands on behalf of the attacker. \\n\\nThe botnet\u2019s controller splits large reconnaissance tasks into many smaller ones and distributes them across these Executors, effectively turning a fleet of consumer routers into a large-scale scanning platform.\\n\\nThe botnet’s primary purpose is reconnaissance at scale. The controller can:\\n\\n * Push scanning jobs (for IP ranges, open ports, DNS records) down to many Executors in parallel.\\n * Use those results to map networks, identify new vulnerable services, and prepare further compromises (\u201cfootprinting\u201d).\\n\\n\\n\\nFor owners of infected devices, a more worrying capability is AryStinger’s ability to tamper with DNS settings. This allows attackers to:\\n\\n * Redirect victims\u2019 browser traffic to phishing pages or malware\u2011hosting sites.\\n * Silently monitor and potentially steal all inbound and outbound network traffic passing through the router or NAS.\\n\\n\\n\\nThis can put otherwise well-protected devices at risk. Mobile phones, tablets, and laptops connected to the compromised router can be redirected as well.\\n\\n## How to tell if you’re impacted\\n\\nFor owners of an affected router or NAS, the immediate signs may be subtle or non\u2011existent. Possible indicators might be:\\n\\n * Slightly slower connectivity\\n * Occasional unexplained DNS failures or redirects\\n * Spikes in outbound traffic at odd times\\n\\n\\n\\nBut the underlying risks are serious enough:\\n\\n * **Privacy:** Attackers may be able to inspect or redirect your traffic, potentially capturing usernames, passwords, session cookies, or other sensitive data.\\n * **Liability and reputation:** Your IP address could be used for fraud, credential\u2011stuffing, harassment, or other criminal activity, potentially attracting attention from service providers or law enforcement\u2014something already seen in other proxy botnets.\\n * **Pivoting into your network:** Particularly on compromised NAS devices, attackers may be able to map internal networks and look for additional systems to target.\\n\\n\\n\\n## What to do\\n\\nThis is not the first time attackers have built a botnet from abandoned networking equipment. Unfortunately, the most effective solution is also the least popular one: Replace end-of-life routers and NAS devices. \\n\\nIf that\u2019s not an immediate option, there are some steps you can take to make your device harder to compromise:\\n\\n * **Apply the latest firmware** available for your device, even if it\u2019s old, and review any vendor security advisories for known vulnerabilities.\\n * **Change the default administrator password** to a unique, strong password or passphrase; never reuse passwords from other accounts.\\n * **Disable remote management** from the internet (WAN). Only access the admin interface from inside your home or office network.\\n * **Use WPA2 or WPA3** wireless encryption and a strong Wi\u2011Fi password to reduce the chance of local abuse.\\n * If your router supports it, **turn off unused services** such as UPnP on the WAN side or legacy remote access protocols.\\n * Run an **anti-malware scan** on computers and other devices connected to the router to check whether any were separately infected while traffic was being tampered with.\\n\\n\\n\\nEven if you apply all of these recommendations, an end-of-life router should be considered untrusted. Make plans to replace it as soon as you can.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-06-22T15:22:22″,”modified”:”2026-06-22T15:22:22″,”type”:”malwarebytes”,”title”:”Thousands of D-Link routers under control of AryStinger botnet”,”source”:””,”references”:””,”id”:”MALWAREBYTES:A0D999B5D88190CE5F2B8E2C477AAC4E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/06\/thousands-of-d-link-routers-under-control-of-arystinger-botnet”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-22T15:36:51″,”description”:”Researchers have found that the recently discovered AryStinger botnet has quietly hijacked thousands of end\u2011of\u2011life D\u2011Link routers and some network-attached storage (NAS) devices, turning them…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-64783","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n