There is a router sitting somewhere in your office, your home, or a client’s building. It has been there for years. It still works the Wi-Fi connects, the internet loads, nobody complains. So nobody touches it. That router may already be compromised. And right now, it could be silently helping cybercriminals attack someone else. This is not a hypothetical scenario. It is what a newly discovered malware network called AryStinger is doing to thousands of routers around the world, and the hardware it targets is exactly the kind of affordable, ageing, never-updated networking equipment that is the backbone of internet connectivity across Africa.
What Is AryStinger?
On June 21, 2026, researchers at Qianxin’s XLab threat intelligence unit published findings on AryStinger, a botnet that had, until then, operated completely under the radar. The malware network has compromised over 4,000 routers globally, converting them into remotely controlled components capable of executing network scans, relaying malicious traffic, creating tunnels into other systems, and running commands on behalf of the attackers who control it. news4hackers.
The primary targets are two specific D-Link router models: the DIR-850L and the DIR-818LW, both discontinued yet widely distributed across the globe, and both no longer receiving manufacturer security updates. AryStinger exploits three known vulnerabilities to gain access: CVE-2013-3307 (a flaw identified back in 2013), CVE-2016-5681 (flagged in 2016), and CVE-2025-11837 (a more recent discovery from 2025). news4hackers. The fact that two of the three exploited vulnerabilities are over a decade old tells you everything you need to know about who is at risk: anyone still running hardware that hasn’t been patched or replaced.
How the Attack Works
AryStinger is not simply a tool for crashing networks or causing visible disruption. It is a quiet, distributed intelligence-gathering and attack infrastructure, which makes it considerably more dangerous.
Once a router is infected, it becomes a node in a coordinated network. The botnet’s architecture splits large-scale scanning tasks into smaller segments and distributes them across multiple compromised routers for parallel processing. This allows attackers to efficiently conduct reconnaissance at scale, significantly increasing the probability of successful intrusions into other systems. In plain terms: your router becomes one of many tools used to probe and map other networks, looking for the next target.
Beyond reconnaissance, the malware can modify DNS configurations on infected devices to intercept user web traffic and covertly monitor all data flowing through the router. Every website visited, every login attempted, every unencrypted communication passing through that router becomes potentially visible to the attacker.
Researchers also identified two variants of the malware. The first, written in C, focuses on the older router hardware. The second, written in Go, is designed to target NAS (Network Attached Storage) systems, the devices many small businesses use to store files and backups locally. The NAS-focused version demonstrates advanced features including IP and DNS scanning, command execution, payload deployment, and internal network exploration using open-source security tools. news4hackers
The attacker’s identity remains unknown. Researchers have not linked AryStinger to any known threat actor group, leaving many aspects of its origin and purpose unresolved. That ambiguity is itself concerning; it suggests either a new actor with significant technical sophistication, or a known group operating under a previously unseen infrastructure. news4hackers
Why This Matters Far Beyond the Headlines
The immediate instinct when reading about a botnet targeting routers in South Korea and China is to file it away as someone else’s problem. That instinct is wrong, for three distinct reasons.
First, botnets don’t respect geography. The current infection map shows concentration in Asia, but botnets expand. The same vulnerabilities being exploited in Seoul exist in Douala, Kampala, Accra, and Nairobi on the same hardware, running the same unpatched firmware. The moment attackers decide to scan African IP ranges with the same tools, the results will not be flattering.
Second, the attack surface in Africa is enormous and largely unmonitored. Security statistics indicate that 54% of attacks succeed undetected, with only 14% triggering alerts. That is the global average. In most African business environments where dedicated IT security is rare, where routers are installed and forgotten, where firmware updates are never applied, those numbers would likely be worse. AryStinger is designed to be silent. It will not announce itself. The router will keep working. The internet will keep loading. And the malware will keep doing its job.
Third, DNS hijacking has immediate, tangible consequences for end users. When a router’s DNS is manipulated by an attacker, every device connected to that router phones, laptops, smart TVs, business terminals can be redirected to fraudulent websites, have their login credentials intercepted, or be served malware-laced pages instead of the real ones. This is not a hypothetical risk. It is a live capability built into AryStinger.
Across Sub-Saharan Africa, D-Link has long been one of the dominant brands in affordable consumer and SME networking hardware. Walk into any electronics market in Yaoundé, Douala, Lagos, Accra, or Nairobi, and you will find D-Link routers on the shelves and installed across thousands of homes and offices. Many of those devices are running firmware that has not been updated in years or ever.
This is not negligence. It is a structural reality. Most SME owners and home users in Africa are not aware that router firmware needs updating. The device came with a default password (often never changed), was plugged in, and has been running continuously since. The DIR-850L and DIR-818LW, the exact models AryStinger targets, were sold aggressively across African markets during their production lifecycle. Many of those devices are still active.
The expansion of internet connectivity across Africa through fibre rollouts, Starlink deployments, mobile broadband growth, and enterprise network buildouts is accelerating. More devices are getting connected. More businesses are going online. More institutions are building digital infrastructure. All of that progress compounds the risk if the hardware layer is not taken seriously.
There is also a specific threat to small and medium businesses running local storage. NAS devices, the second target of AryStinger’s Go variant, are increasingly common in African SMEs as a cost-effective way to manage files, run local backups, and support shared workspaces. If those storage systems are sitting behind a compromised D-Link router, they become accessible to the attacker who controls that router.
And for technology integrators, ISPs, and managed service providers operating across African markets, there is a professional responsibility dimension here too. Every network deployed with ageing, unpatched hardware is a liability for the client and for the installer.
The good news is that the mitigations for this threat are straightforward. The challenge is execution: getting organizations and individuals to act before an incident, not after. Replace end-of-life routers. If you are running a D-Link DIR-850L, DIR-818LW, or any other router model that is no longer receiving manufacturer firmware updates, it needs to be replaced. There is no patch coming. The vulnerability window will only grow. Budget for hardware refresh cycles as part of any responsible IT strategy.
Apply firmware updates to everything still in support. For devices that are still receiving updates, apply them immediately. Router firmware updates are released specifically to patch vulnerabilities like the three being exploited by AryStinger. If you manage a network and cannot remember the last time you updated the router’s firmware, that is your answer. Change default administrative credentials. An alarming number of routers in active use still have the factory-default username and password “admin/admin” or equivalent. This is the first thing any attacker will try. Change it to something strong and unique.
Disable remote management interfaces. Unless you have a specific, documented need for remote router administration, turn it off. Remote management ports are a direct attack surface, and most small offices and homes have no legitimate need for them.
Monitor for unexpected DNS changes. If you manage multiple client networks, periodically verify that DNS settings on routers match what was configured. An unauthorised DNS change is a strong indicator of compromise.
For technology integrators: make hardware lifecycle part of every client conversation. When conducting site surveys, installing systems, or renewing service contracts, include a router audit. The conversation does not need to be technical; This device is no longer receiving security updates and should be replaced” is something any business owner can understand.
AryStinger is, in technical terms, a moderately sophisticated botnet. It is not the most advanced threat ever documented. What makes it significant is what it reveals about the state of our shared infrastructure. Thousands of routers around the world are running firmware with vulnerabilities that were first identified in 2013, thirteen years ago. The hardware is still running. The vulnerabilities are still open. And someone has now built a tool specifically designed to walk through those open doors.
The internet we are building across Africa, connecting businesses, schools, hospitals, and households, runs on hardware. That hardware matters. A smart home is only as smart as the router it runs on. A Starlink installation is only as secure as the network it feeds into. A biometric access control system is only as trustworthy as the infrastructure it communicates through.
Security is not a feature you add at the end. It is a foundation you build from the beginning. Recommended actions for any organisation or individual with D-Link hardware: replace end-of-life devices with supported models, apply all available firmware updates, change default administrative credentials, and deactivate remote management interfaces. Do not wait for the alert that never comes.
