D-Link Routers Under Siege: AryStinger Botnet Expands
Author
ThreatsEye
✓Author
ThreatsEye
✓Start Now
Get in touch with our team and discover how ThreatsEye can help protect your organization.
Published
June 23, 2026
Reading Time
2 min read
When was the last time you checked the firmware version on your home router? If you're using an end-of-life D-Link model, you might just be an unwitting recruit in the AryStinger botnet's army. This newly uncovered botnet has already commandeered over 4,300 D-Link routers, turning them into malicious scouts for future attacks.
The AryStinger botnet targets outdated D-Link router models, specifically the DIR-850L and DIR-818LW. These models, no longer supported by the manufacturer, are prime targets due to their unpatched vulnerabilities. The botnet exploits these weaknesses to install a Dropbear SSH backdoor, effectively taking control of the device and rewriting DNS settings to intercept traffic.
At its core, AryStinger leverages a combination of brute force and known exploits to gain initial access to the routers. Once inside, the botnet executes scripts to establish a persistent presence. The use of Dropbear, a lightweight SSH server, allows attackers to maintain control without raising suspicion. By altering DNS settings, AryStinger can redirect traffic, potentially leading users to malicious sites or intercepting sensitive data.
The primary victims are consumers and small businesses using legacy D-Link routers. The compromised devices are not just passive victims; they actively scan for new targets, expanding the botnet's reach. This poses a significant threat to network security, as even a single compromised device can serve as a launchpad for broader attacks.
For those using the affected D-Link models, immediate action is required. Replacing these routers with newer, supported models is the most effective solution. For those unable to upgrade immediately, disabling remote management features and updating any available firmware can mitigate some risk. Network administrators should also monitor for unusual DNS queries and SSH connections, which could indicate a compromised device.
The AryStinger botnet highlights the dangers of neglecting end-of-life devices in network environments. As manufacturers discontinue support, these devices become low-hanging fruit for attackers. This incident serves as a stark reminder of the importance of regular updates and proactive device management in maintaining cybersecurity hygiene.
In a world where our devices are increasingly interconnected, the security of each node becomes crucial. AryStinger is a wake-up call for users and manufacturers alike to prioritize security, even in devices deemed obsolete.
Author
ThreatsEye analysis covering cyber risk, threat intelligence, and practical security operations.
Keep Reading