Security researchers have uncovered a previously undocumented malware botnet called AryStinger that has infected more than 4,000 outdated routers and network-attached storage (NAS) devices worldwide. The malware primarily targets older D-Link routers, including the DIR-850L and DIR-818LW models, exploiting known vulnerabilities to gain control of devices.
Once installed, AryStinger transforms compromised systems into remotely managed proxies capable of scanning networks, executing commands, tunneling traffic, and supporting other malicious operations. Researchers say attackers can distribute tasks across thousands of infected devices, making reconnaissance and intrusion attempts more efficient and difficult to trace.
The malware also poses a significant privacy risk. It can alter DNS settings to redirect internet traffic, monitor network activity, and potentially intercept sensitive data passing through affected devices.
According to researchers, nearly half of all infections are located in South Korea, with China, Sweden, Malaysia, and Singapore also heavily affected. Two versions of AryStinger have been identified: a C-based variant targeting routers and a more advanced Go-based version aimed at NAS systems.
Experts recommend replacing end-of-life networking equipment, installing the latest firmware updates, changing default administrator credentials, and disabling remote management features to reduce exposure to similar threats.
