337/69 Tuesday, June 23, 2026
Cyber threat researchers from XLab have detected a new botnet named AryStinger, which has taken control of more than 4,000 outdated routers worldwide. The malware turns compromised devices into remotely controlled operational nodes for attackers. This incident represents a significant threat because attackers can use these devices to carry out malicious activities, such as large-scale network scanning, proxy operations, traffic interception, system command execution, and DNS configuration tampering to redirect users’ web traffic without the device owners knowing the cause.
Analysis found that AryStinger exploits old security vulnerabilities in End-of-Life devices that have not been patched, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The botnet primarily targets D-Link DIR-850L and DIR-818LW routers. In addition, the malware has been developed into two variants: a C-based variant designed to attack routers and a Go-based variant targeting network-attached storage (NAS) devices. The Go-based variant has advanced capabilities for IP scanning and system command execution. System logs and threat monitoring evidence indicate that the latest malware version, V2.0.28, instructs infected devices to connect to command-and-control servers to retrieve updates and continuously scan targets over the HTTP protocol. This activity has been observed since mid-March 2026, with the highest infection rates found in South Korea and China.
Experts are still investigating to identify the threat actors behind the attack. However, to reduce risk, users and administrators operating End-of-Life routers or NAS servers should consider replacing them with newer devices that continue to receive security support. For devices that are still supported, firmware should be updated to the latest version immediately. In addition, administrator account passwords should be changed from default values, and access to device management interfaces from the external internet should be blocked to strengthen security and prevent long-term unauthorized control by threat actors.