Alert: 6,000+ TP-Link Routers Under Attack by Ballista Botnet Exploiting Unpatched Vulnerability

# New Botnet “Ballista” Targets Unpatched TP-Link Archer Routers

Security researchers from Cato CTRL have discovered a new botnet campaign named “Ballista” that specifically targets vulnerable TP-Link Archer routers. The botnet exploits CVE-2023-1389, a high-severity remote code execution vulnerability affecting TP-Link Archer AX-21 routers.

The Ballista campaign was first detected on January 10, 2025, with the most recent exploitation attempt recorded on February 17. This vulnerability has previously been used to distribute other malware families including Mirai, Condi, and AndroxGh0st since April 2023.

## Attack Methodology

The attack deploys a malware dropper that executes a shell script (“dropbpb.sh”) which downloads and runs the main binary on targeted systems. The malware supports multiple system architectures including mips, mipsel, armv5l, armv7l, and x86_64.

Once installed, Ballista establishes an encrypted command-and-control channel on port 82, allowing attackers to:
– Execute shell commands
– Conduct further RCE attacks
– Launch denial-of-service attacks
– Access sensitive files on infected systems

The botnet includes several key command functions:
– “flooder” for launching flood attacks
– “exploiter” for leveraging CVE-2023-1389
– “shell” for executing Linux commands
– “killall” for terminating services

## Self-Preservation Techniques

Ballista demonstrates sophisticated self-preservation capabilities, including:
– Terminating previous instances of itself
– Erasing evidence of its presence
– Spreading to other routers by exploiting the same vulnerability

## Attribution and Scope

Analysis of the C2 IP address (2.237.57.70) and Italian language strings in the malware suggests a possible Italian threat actor. However, the malware appears to be under active development, with newer variants using TOR network domains instead of hard-coded IP addresses.

According to Censys, over 6,000 devices are currently targeted by Ballista, primarily in Brazil, Poland, the UK, Bulgaria, and Turkey. The botnet has also targeted organizations in manufacturing, healthcare, services, and technology sectors across the US, Australia, China, and Mexico.

While sharing some similarities with other botnets, researchers note that Ballista remains distinct from widely known threats like Mirai and Mozi.

Keywords: TP-Link Archer router vulnerability, CVE-2023-1389 exploit, Ballista botnet, router security threat, IoT malware campaign, network device exploitation

Share This Article

Alert: 6,000+ TP-Link Routers Under Attack by Ballista Botnet Exploiting Unpatched Vulnerability

Related Articles

Urgent Alert: Booking.com Phishing Scam Uses “ClickFix” Trick to Deploy Dangerous Malware Against Hospitality Workers

Urgent Alert: Critical FreeType Vulnerability Actively Exploited in the Wild – What You Need to Know

Alert: Medusa Ransomware Strikes Over 300 U.S. Critical Infrastructure Organizations

Quick Links

Company

Get In Touch