AryStinger botnet turns outdated routers into proxy executors
Malware Activity
Summary
Hide ▲
Show ▼
The AryStinger botnet is compromising more than 4,000 outdated routers and converting them into proxy executors for malicious traffic, expanding attacker reach and interception risk. It targets D-Link DIR-850L and D-Link DIR-818LW routers through older flaws and can support scanning, tunneling, and command execution. The malware also enables DNS tampering and network-traffic monitoring, creating a broader exposure window for affected networks.
Related Happenings
Forest Blizzard DNS hijacking token-theft campaign against older routers
Campaign
H score35
First: 07.04.2026 20:02
Last: 07.04.2026 20:02
Sources 1
About this happening:
Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
Forest Blizzard DNS hijacking token-theft campaign against older routers
CampaignAbout this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
KadNap botnet turns ASUS routers into residential proxies
Malware Activity
H score23
First: 10.03.2026 17:01
Last: 10.03.2026 17:01
Sources 1
About this happening:
The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...
KadNap botnet turns ASUS routers into residential proxies
Malware ActivityAbout this happening: The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
H score23
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
Kimwolf botnet expands through residential proxy abuse
Malware Activity
H score65
First: 02.01.2026 16:20
Last: 02.01.2026 16:20
Sources 1
About this happening:
The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...
Kimwolf botnet expands through residential proxy abuse
Malware ActivityAbout this happening: The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...
Latest development: 29.01.2026 19:15
Google Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.
Timeline
-
21.06.2026 17:14 2 articles · 1h ago
Qianxin XLab identifies AryStinger botnet compromising more than 4,000 outdated routers
Initial DisclosureQianxin XLab identifies the previously undocumented AryStinger botnet, which has compromised more than 4,000 outdated routers and converted them into remotely controlled executors for scanning, proxying, tunneling, command execution, DNS tampering, and traffic interception. The malware primarily targets D-Link DIR-850L and D-Link DIR-818LW routers by exploiting CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, and XLab also found a Go-based variant that focuses on NAS systems.
Show sources
- AryStinger botnet infected thousands of D-Link routers worldwide — www.bleepingcomputer.com — 21.06.2026 17:14
- AryStinger botnet infected thousands of D-Link routers worldwide — www.bleepingcomputer.com — 21.06.2026 17:14