A previously undocumented malware botnet named AryStinger has been found infecting thousands of outdated D-Link routers worldwide. The malware turns the compromised devices into proxies that route malicious traffic, allowing attackers to anonymize their operations.
The scale of the infection is significant, with BleepingComputer reporting that more than 4,000 outdated routers have been compromised. The botnet primarily targets legacy router models that are no longer supported by firmware updates, leaving them vulnerable to exploitation.
Technical analysis reveals that AryStinger gains initial access by scanning for routers with weak or default credentials. Once inside, it installs a persistent backdoor that communicates with command-and-control servers for instructions. The malware then configures the router to act as a SOCKS proxy, enabling attackers to route malicious web traffic through the device.
No patches are currently available for the affected models, as they are end-of-life and no longer receive security updates from D-Link. Users are strongly advised to replace any outdated routers with newer, supported models that still receive firmware patches.
Attribution for the botnet remains unknown, but the campaign appears focused on maintaining a resilient proxy network rather than data theft. This case highlights the growing threat posed by unpatched legacy networking gear in the global attack surface.