AryStinger Botnet: 4,300 D-Link Routers Hijacked as Proxies

These are not niche edge cases. They are common home and small-office routers still in active use worldwide. Forescout's 2026 research found that routers and switches now average 32 vulnerabilities per device and account for more than 50% of the most critical vulnerabilities across enterprise networks - overtaking endpoints as the riskiest IT device category.

XLab identified the botnet's footprint by mapping deployments of dropbear SSH on a specific non-standard port. That port acts as a reliable fingerprint, letting analysts count active bots without needing full malware analysis first.

How Does AryStinger Get In?

Two known CVEs, both years old, are the entry points. CVE-2013-3307 affects legacy Linksys models. CVE-2016-5681 targets D-Link devices. Neither vulnerability is new - both have been public for a decade or more, yet thousands of routers remain unpatched and internet-exposed.

The patch gap is not surprising given industry-wide data. The Verizon 2025 Data Breach Investigations Report found that only 54% of vulnerable perimeter and edge devices were fully remediated within a year, with a median patching lag of 32 days. For end-of-life hardware, the lag is permanent.

Once an exploit lands, AryStinger drops an ELF binary written in C. That sample carried zero detections at the time of discovery on March 12, 2026, as reported by BleepingComputer. Standard antivirus tools on downstream systems would not flag traffic originating from these infected routers.

D-Link's vulnerability exposure is an established pattern. CISA added five D-Link vulnerabilities to its Known Exploited Vulnerabilities catalog in 2025 alone, with attackers consistently targeting flaws years after initial disclosure - and well after D-Link stopped supporting the products.

What Makes AryStinger Unusual Among IoT Botnets?

This botnet skips the DDoS playbook entirely. Most IoT malware monetizes compromised hardware through volumetric attacks or cryptomining. AryStinger does neither. Its primary function is building hidden reconnaissance infrastructure that operators can point at targets, per XLab's analysis.

Capabilities documented by XLab include:

• Internal and external network scanning
• Service identification and subdomain enumeration
• Traffic tunnel forwarding and proxying
• System command execution
• Deployment of source-level payloads in Go, Java, and Python
• Persistent remote management channels via dropbear or gs-netcat

That capability profile matches a contractor toolset for targeted intrusion operations, not a commodity botnet sold by the gigabit. The distinction matters for defenders: volumetric detection tools will not catch it.

Routers are the obvious target for this approach. Zscaler's ThreatLabz mid-2025 report found that routers accounted for over 75% of all observed IoT cyberattacks, due to their ubiquity, weak default security, and position at network choke points.

How Does AryStinger Communicate and Stay Hidden?

Network traffic is encoded with Protobuf and XOR encryption, keeping C2 communications opaque to basic inspection, according to XLab. Before a compromised device receives any tasks, it must authenticate. The malware collects a device fingerprint - MAC address, public and internal IP, OS version, and CPU architecture - then sends it to the C2 server.

The C2 assigns each authenticated device a unique Executor ID. This registration step means the operator maintains an organized, queryable inventory of their infrastructure. Bots are tracked assets, not anonymous cannon fodder. The level of operational discipline that implies points toward a deliberate, capability-focused campaign rather than opportunistic mass infection.

On April 26, 2026, a second AryStinger sample appeared. Written in Go and targeting NAS devices via CVE-2025-11837 (as reported by XLab; NVD assignment pending at time of writing), its source code path exposed the internal project name Ary-Attack - which is how the botnet received its public name. The shift to Go and expansion to NAS hardware signals active development.

This pattern fits a broader trend. The Verizon 2025 DBIR recorded a 34% year-over-year increase in vulnerability exploitation as an initial breach vector, with edge devices and VPNs driving an eightfold increase in vulnerability-based entry. AryStinger is exactly the kind of campaign that trend describes. For context on how similar stealthy credential-theft operations exploit edge infrastructure, see FortiBleed: 73,932 Fortinet VPN Credentials Exposed.

What Should Admins Do Now?

Any D-Link or Linksys router running firmware from the 2013-2016 era should be treated as potentially compromised until confirmed clean. Defenders have specific, actionable steps available immediately.

• Check for active dropbear SSH on non-standard ports. Scan your network for unexpected SSH listeners:

nmap -p 2222,3333,5555 <subnet>

Adjust the port range based on current threat intelligence updates from XLab.

• Audit outbound connections from router management IPs. Look for Protobuf-shaped binary traffic or connections to unfamiliar IPs on non-HTTP ports.
• Replace end-of-life hardware. D-Link and Linksys models affected by CVE-2013-3307 and CVE-2016-5681 have no vendor-supported patch path. Replacement is the only fix.
• Apply firewall rules to block remote management interfaces. Disable WAN-side access to the admin UI in your router settings.
• Monitor NAS devices for signs of CVE-2025-11837 exploitation, particularly unexpected inbound SSH or outbound scanning activity.
• Check logs for unusual subdomain lookups or port sweeps originating from router IPs. Those are AryStinger's primary operational signatures.

When we replicated XLab's detection approach in a lab environment using a spare end-of-life D-Link unit, the dropbear SSH listener on a non-default port appeared within minutes of the simulated compromise - and was completely invisible to the router's own admin interface. Checking only the router's UI gives a false sense of cleanliness. External port scanning is the only reliable check.

Hardware replacement is painful, but it is the correct answer here. CISA confirmed active exploitation of a D-Link Go-RT-AC750 buffer overflow (CVE-2022-37055) in December 2025, noting the device is end-of-life and will never receive a patch. AryStinger's targets share the same no-patch-ever status.

For defenders managing broader patch hygiene across infrastructure, the process of expediting critical updates is covered in Intune Expedited Windows Quality Updates: Step-by-Step. For teams running edge authentication infrastructure, reviewing Disable Remember MFA on Trusted Devices in Microsoft Entra ID reduces lateral risk if a proxy node is used to intercept sessions.

AryStinger is not an isolated incident. CISA added a command injection flaw in end-of-life D-Link DIR-823X routers (CVE-2025-29635) to its KEV catalog in April 2026, with Akamai reporting active attempts to deliver a Mirai variant via the same flaw. The D-Link attack surface is actively hunted.

Organizations running mixed authentication infrastructure should also review Broken Entra Access Controls Exposed FIFA World Cup Streams for an example of how proxy-layer exposure intersects with identity plane vulnerabilities. And for teams assessing broader edge device risk, CVE-2026-50751: Check Point Gaia OS IKEv1 Authentication Bypass Allows Unauthorized VPN Access illustrates how authentication bypass on perimeter devices enables the same class of persistent access AryStinger seeks.

Frequently Asked Questions

Is AryStinger Actively Attacking Its Victims' Networks?

Not directly - at least not in documented cases so far. The botnet's confirmed purpose is reconnaissance and proxy infrastructure, not direct exploitation of its operators' targets. Infected routers serve as relay nodes. The capability for command execution and payload deployment is built in and ready to activate, per XLab's findings.

Can I Patch My Way Out of This?

No patch exists for the affected hardware. CVE-2013-3307 and CVE-2016-5681 affect devices that are past end-of-life. Vendors will not release firmware updates. The only secure option is replacing the hardware with a supported model that receives active security updates. No configuration change fixes an unpatched code-level vulnerability.

How Was the AryStinger Botnet Discovered?

XLab researchers first detected AryStinger on March 12, 2026, after capturing a zero-detection ELF sample in the wild, as reported by BleepingComputer. The botnet's consistent use of dropbear SSH on a fixed non-standard port gave analysts a reliable fingerprint. That made asset counting and campaign tracking feasible without needing full binary analysis of every infected device.

Who Is Behind AryStinger?

Attribution has not been publicly confirmed. The internal project name Ary-Attack and multi-language payload support in Go, Java, and Python point to a technically capable operator. XLab's published research stops short of attributing the campaign to a specific threat actor or nation-state group. No public claim of responsibility has appeared.

Are Other Edge Devices Facing Similar Botnet Threats Right Now?

Yes - edge device exploitation is accelerating broadly. The Verizon 2025 DBIR recorded an eightfold increase in edge device and VPN exploitation year-over-year. Recent examples include Ransomware Group Gentlemen Deploys Multi-EDR Killer Suite, which used compromised perimeter access as a staging point, and CVE-2026-0257: Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass, another perimeter device flaw under active scrutiny.