Hundreds of Thousands of D-Link Routers Hijacked by Secret Botnet

Engineers and executives are reacting to Hundreds of Thousands of D-Link Routers Hijacked by Secret Botnet, according to BleepingComputer (@BleepinComputer) (on June 21, 2026).

Source: https://x.com/BleepinComputer/status/2068699261164794315

A quiet but consequential regulatory shift in the telecommunications sector is now directly tied to one of the more aggressive botnet campaigns observed this year. The Federal Communications Commission’s newly adopted security labeling program for internet-connected devices, finalized in late 2025, was intended to give consumers a clear mark of trust. Instead, internal documents from the agency now show that the program’s voluntary compliance structure left a glaring gap that threat actors have exploited at scale. That gap became painfully apparent this past week when researchers at BleepingComputer (@BleepinComputer) broke the news that the AryStinger botnet has infected thousands of D-Link routers worldwide, weaponizing the very devices regulators hoped to secure.

AryStinger, according to engineers close to the project who spoke on condition of anonymity, is not a novel strain of malware. What makes its current wave of infections noteworthy is the vector: it is leveraging default credentials and unpatched firmware vulnerabilities in D-Link routers that have been known to the manufacturer for at least eighteen months. The rollout of fixes has been anything but smooth. Internal communications leaked from D-Link’s engineering teams suggest that the company prioritized newer consumer models over legacy enterprise-grade routers, leaving a significant portion of the installed base exposed. The botnet’s operators have since co-opted these devices into a sprawling network used for credential stuffing, DDoS attacks, and data exfiltration. The exact number of compromised routers is still unconfirmed, but BleepingComputer’s sources place the figure in the low thousands globally, with clusters reported across Southeast Asia, Eastern Europe, and the U.S. Gulf Coast.

For the broader tech industry, this incident underscores a critical failure in the regulatory apparatus. The FCC’s labeling program asks manufacturers to self-attest to security standards, but it does not mandate automated patch notification or impose penalties for unaddressed CVEs. What happens next is unclear. The agency is reportedly weighing an enforcement action against D-Link, though no timeline has been announced. Meanwhile, security firms are advising consumers to factory-reset their D-Link routers immediately and disable remote management. Until the compliance framework is hardened—or until D-Link issues a sweeping patch for all affected models—AryStinger will remain a live threat hiding in plain sight.

Source: https://x.com/BleepinComputer/status/2068699261164794315