Here is the rewritten content:
Unpatched TP-Link Archer routers are being targeted by a new botnet campaign known as Ballista, according to recent findings by the Cato CTRL team.
“The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet,” security researchers Ofek Vardi and Matan Mittelman stated in a technical report shared with The Hacker News.
CVE-2023-1389 is a high-severity security flaw that affects TP-Link Archer AX-21 routers and can lead to command injection, potentially allowing for remote code execution.
The earliest evidence of active exploitation of the flaw dates back to April 2023, with unidentified threat actors utilizing it to drop Mirai botnet malware. Since then, it has also been exploited to propagate other malware families, including Condi and AndroxGh0st.
Cato CTRL detected the Ballista campaign on January 10, 2025, with the most recent exploitation attempt recorded on February 17.
The attack sequence involves the use of a malware dropper, a shell script (“dropbpb.sh”), designed to fetch and execute the main binary on the target system for various system architectures, including mips, mipsel, armv5l, armv7l, and x86_64.
Once executed, the malware establishes an encrypted command-and-control (C2) channel on port 82 to take control of the device.
“This allows running shell commands to conduct further RCE and denial-of-service (DoS) attacks,” the researchers explained. “Additionally, the malware attempts to read sensitive files on the local system.”
Some of the supported commands include:
- flooder, which triggers a flood attack
- exploiter, which exploits CVE-2023-1389
- start, an optional parameter used with the exploiter to start the module
- close, which stops the module triggering function
- shell, which runs a Linux shell command on the local system
- killall, which terminates the service
In addition, the malware is capable of terminating previous instances of itself and erasing its presence once execution begins. It is also designed to spread to other routers by attempting to exploit the flaw.
The use of the C2 IP address location (2.237.57[.]70) and the presence of Italian language strings in the malware binaries suggest the involvement of an unknown Italian threat actor, according to the cybersecurity company.
However, it appears that the malware is under active development, given that the IP address is no longer functional, and a new variant of the dropper utilizes TOR network domains instead of a hard-coded IP address.
A search on the attack surface management platform Censys reveals that over 6,000 devices are infected by Ballista, with the majority of infections concentrated in Brazil, Poland, the United Kingdom, Bulgaria, and Turkey.
The botnet has been found to target manufacturing, medical/healthcare, services, and technology organizations in the United States, Australia, China, and Mexico.
“While this malware sample shares similarities with other botnets, it remains distinct from widely used botnets such as Mirai and Mozi,” the researchers noted.
