SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefMonday, June 22, 2026 INTEL CONFIDENCE 82% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY AryStinger Botnet Compromises Thousands of D-Link Routers | CRITICAL |
|
5 C2 IPs | 74 OTX IOCs | 2 ARTICLES |
|
■ ANALYST TLDR A newly discovered malware botnet named AryStinger has compromised over 4,000 legacy D-Link routers globally, converting them into malicious proxy servers to route threat actor traffic. Organizations must immediately identify and decommission outdated, end-of-life D-Link network devices to mitigate the risk of compromise. Additionally, security teams should monitor network perimeters for anomalous proxy traffic and unauthorized external administrative access. |
|
■ CRITICAL STORIES AryStinger botnet infects over 4,000 D-Link routers The previously undocumented AryStinger botnet is actively targeting outdated and end-of-life D-Link routers, turning them into a residential proxy network. This allows threat actors to route malicious traffic through legitimate consumer IP addresses, bypassing traditional IP reputation filters. |
ISC Stormcast Daily Threat Briefing - June 22, 2026 The daily briefing highlights ongoing opportunistic scanning activities and general internet background noise. It underscores the necessity of continuous monitoring of edge devices and maintaining robust firewall configurations to block unsolicited inbound traffic. |
|
■ CVEs IDENTIFIED [CVE-TBD] D-Link Outdated Routers — Remote Code Execution and Proxy Abuse |
|
■ THREAT ACTORS AryStinger | Botnet / Cybercrime |
Compromising thousands of outdated D-Link routers to build a proxy network |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Used to compromise vulnerable edge D-Link routers |
| T1090 | | Proxy | Turning compromised routers into proxies for malicious traffic redirection |
| T1584.005 | | Compromise Infrastructure: Botnet | Establishing a botnet of over 4,000 infected devices |
|
■ PATCH PRIORITY D-Link Outdated Routers — Active exploitation by AryStinger botnet to deploy proxies — BleepingComputer |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Decommission and replace all outdated, end-of-life D-Link routers that no longer receive security updates to prevent AryStinger botnet recruitment. |
| 2 | [P2] Audit network perimeters for legacy D-Link devices and restrict external management access (HTTP/HTTPS/Telnet/SSH) from the public internet. |
| 3 | [P2] Monitor network egress traffic for anomalous proxy behavior or unauthorized connections originating from internal network segments. |
| 4 | [P3] Review SANS ISC daily threat feeds to update blocklists for active malicious scanning IPs and known botnet command-and-control nodes. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |