The AryStinger botnet has compromised over 4,000 end-of-life D-Link DIR-850L and DIR-818LW routers using a combination of legacy CVEs (CVE-2013-3307, CVE-2016-5681) and a newly identified CVE (CVE-2025-11837), converting them into attacker-controlled proxies used for DNS hijacking, distributed scanning, and traffic interception. No firmware patch exists or will be issued for any affected model. The only remediation path is hardware replacement; organizations still running these devices have a permanent, unmitigable network perimeter exposure.