New Ballista botnet targets unpatched TP-Link Archer routers

New Ballista botnet targets unpatched TP-Link Archer routers

A new botnet, dubbed ‘Ballista,’ has begun exploiting unpatched TP-Link Archer routers, according to a report from Cato CTRL.

The vulnerability (CVE-2023-1389), which was first disclosed in 2023, allows attackers to execute arbitrary commands on affected routers. The earliest known exploitation of the CVE-2023-1389 vulnerability dates back to April 2023. Since then, the flaw has been abused by threat actors to drop malware, including Mirai botnet payloads, and later additional malware families such as Condi and AndroxGh0st.

Ballista was first detected by Cato CTRL on January 10, 2025, with the most recent attempt to exploit the vulnerability spotted on February 17, 2025. The attack begins when a malware dropper, which is a shell script called ‘dropbpb.sh,’ is used to fetch and execute the primary binary. This binary is designed to work on various system architectures, including mips, mipsel, armv5l, armv7l, and x86_64, ensuring that it can target a wide range of devices.

Once executed, the malware establishes an encrypted command-and-control (C2) channel on port 82, granting the attacker remote access to the compromised router. This allows the attacker to execute additional shell commands, conduct further RCE attacks, and launch DoS attacks against other systems. The malware is also capable of reading sensitive files from the device and, in some cases, self-terminating once it has spread, erasing its presence to avoid detection.

Cato CTRL's investigation into the Ballista campaign has revealed interesting clues about the origin of the attackers. Specifically, the C2 IP address (2.237.57[.]70) and the presence of Italian-language strings in the malware binaries point to the possible involvement of an unknown Italian threat actor. However, it should be noted that the C2 IP address is no longer functional, and the botnet has evolved. A new variant of the dropper now uses TOR network domains instead of relying on a hard-coded IP address, suggesting that the malware is still under active development.

According to data from attack surface management platform Censys, more than 6,000 devices have already been infected by Ballista. Infected devices are largely concentrated in countries such as Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. In addition to these regions, the botnet has been targeting organizations in the United States, Australia, China, and Mexico.


Back to the list

Latest Posts

UAT-5918 info-stealing campaign targets critical infrastructure entities in Taiwan

UAT-5918 info-stealing campaign targets critical infrastructure entities in Taiwan

The tactics and tools employed by UAT-5918 overlap with other state-sponsored threat groups, such as Volt Typhoon, Flex Typhoon, and Earth Estries.
20 March 2025
New supply chain attack allows to inject malicious code via AI code editors

New supply chain attack allows to inject malicious code via AI code editors

By exploiting hidden unicode characters and employing advanced evasion techniques, attackers can subtly alter the behavior of AI models.
19 March 2025
Russian disinformation actors employ new tactics to maintain influence

Russian disinformation actors employ new tactics to maintain influence

Rather than immediately deploying newly registered domains, many threat actors now secure domain names months in advance.
19 March 2025
Popular Posts
Featured vulnerabilities
IBM Asset Data Dictionary Component update for airlift aircompressor
Medium Patched | 20 Mar, 2025
IBM InfoSphere Information Server update for Kubernetes ingress-nginx
High Patched | 20 Mar, 2025
Multiple vulnerabilities in IBM Watson Discovery
High Patched | 20 Mar, 2025
Multiple vulnerabilities in IBM Storage Protect Backup-Archive Client
High Patched | 20 Mar, 2025
Authorization bypass through user-controlled key in RRAddons for Elementor plugin for WordPress
Medium Patched | 20 Mar, 2025