ARYSTINGER botnet has hijacked more than 4,300 D-Link routers and NAS devices, turning them into a platform for large-scale network reconnaissance, according to research from QiAnXin’s XLab reported by Malwarebytes.
The malware exploits long‑disclosed vulnerabilities from 2013 and 2016 that affect Realtek’s RTL819X chips, primarily in the D‑Link DIR‑850L and DIR‑818LW models, which are now end‑of‑life and receive no firmware patches detailed in the XLab blog.
Once infected, devices act as “Executors” that perform port scanning, service identification and DNS tampering, while avoiding typical behaviours such as file encryption or cryptocurrency mining; the botnet maintains separate builds for routers and NAS units and can run scripts in several programming languages noted by SecurityAffairs.
Activity was observed between 09:17 and 16:16 UTC on 22 June 2026, with no specific threat actors attributed to the campaign, yet the harvested intelligence could enable follow‑on attacks against internal networks or critical infrastructure.
Defenders should verify the firmware version of any D‑Link equipment, apply the latest available updates, replace default passwords with strong unique credentials, disable remote management interfaces, and consider retiring hardware that has reached end‑of‑life.
Additionally, monitoring for unexpected traffic spikes, enforcing network segmentation and keeping an up‑to‑date inventory of connected devices will improve the chances of spotting similar compromises before they are used for further reconnaissance.