AryStinger botnet infected thousands of D-Link routers worldwide

AryStinger botnet has compromised 4,000+ D-Link routers (DIR-850L, DIR-818LW) worldwide by exploiting known vulnerabilities, converting them into remote proxies for scanning, tunneling, and command execution. Attackers can modify DNS settings to hijack traffic and monitor network activity. Infections are concentrated in Asia but pose global risk to organizations using affected models.

CRITICALAdvisoryJun 22, 2026

Action required

Immediately identify and inventory all D-Link DIR-850L and DIR-818LW routers on your network. Patch to latest firmware or isolate/replace affected devices. Check firewall and DNS logs for anomalous proxy activity or DNS hijacking indicators.

Affected products

D-LinkD-Link DIR-850LD-Link DIR-818LWQianxin

CVE IDs

CVE-2013-3307 CVE-2016-5681 CVE-2025-11837

Linked articles

AryStinger botnet infected thousands of D-Link routers worldwide

Source links

https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/