New Ballista Botnet Spreads Using TP-Link Flaw: Is It an Italian Job?
The cybersecurity world has been abuzz with news of a new botnet, dubbed the Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability in TP-Link Archer routers. According to Cato CTRL researchers, this botnet has already spread its malicious tendrils across over 6,000 vulnerable devices worldwide.
The root cause of this problem lies in an unpatched vulnerability tracked as CVE-2023-1389 (CVSS score 8.8). This flaw resides in the locale API of the web management interface of the TP-Link Archer AX21 router. In simple terms, a remote attacker can trigger this issue by injecting commands that should be executed on the device.
The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. Since early 2025, Cato CTRL has tracked the Ballista botnet targeting TP-Link Archer routers via CVE-2023-1389.
The botnet spreads automatically using a remote code execution (RCE) flaw. This means that once an infected device is compromised, it can spread to other devices on the same network without any human intervention.
TP-Link devices have faced scrutiny, with U.S. agencies considering a ban over security concerns linked to China. The researchers first detected the botnet on January 10, then it evolved by using Tor domains for stealth. The most recent attack attempt occurred on February 17.
"As part of its initial access vector, the Ballista botnet exploits CVE-2023-1389," reads the Cato report. "This vulnerability in the TP-Link Archer router's web management interface (T1190) stems from the lack of sanitization of user input in the country form of the /cgi-bin/luci;stok=/locale endpoint, resulting in unauthenticated command execution (T1059.004) with root privileges."
"The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh," continues the report. "This dropper is responsible for downloading malware binaries and executing them on the compromised device. The process includes persistence, system exploration, and anti-detection techniques to maintain control over infected devices."
The malware kills previous instances, deletes itself to evade detection, reads system configuration files, and establishes an encrypted C2 channel on port 82. It spreads by exploiting CVE-2023-1389 and can execute remote shell commands or launch DoS/DDoS attacks when instructed by the C2 server.
The malware's C2 commands include "shell" for executing bash commands and "flooder" for launching attacks. The shell module enables backdoor access for data exfiltration and persistence. The flooder module, triggered by specific parameters, continuously spawns new threads for attack execution.
The Italian Connection: Attribution to an Italian-Based Threat Actor
Cato CTRL has linked the Ballista botnet to an Italian-based threat actor, based on an Italian IP address and strings in Italian in the code. This attribution is significant, as it suggests that this botnet may be part of a larger campaign by a specific group.
The Impact: Manufacturing, Healthcare, Services, and Tech Sectors Affected
Named after the ancient Roman weapon, Ballista targets TP-Link Archer routers and has affected manufacturing, healthcare, services, and tech sectors in the U.S., Australia, China, and Mexico. A Censys search found over 6,500 vulnerable devices online.
A Call to Action: Proactive Identification and Management of IoT Devices
"IoT devices have been constantly targeted by threat actors for multiple reasons," concludes the report. "Proactive identification and management of IoT devices within an organization's network remain essential for mitigating risk and ensuring the resilience of critical infrastructure."
Stay Safe Online: Follow Us for Latest Cybersecurity News
Follow us on Twitter, Facebook, and Mastodon for the latest cybersecurity news and updates. Stay safe online!