Unsecured TP-Link Archer routers have fallen victim to a virulent botnet campaign, dubbed Ballista, as unearthed by the Cato CTRL security research team.
“This botnet takes advantage of a remote code execution (RCE) flaw within TP-Link Archer routers (CVE-2023-1389), autonomously propagating across the digital landscape,” cybersecurity analysts Ofek Vardi and Matan Mittelman detailed in an exhaustive report.
This particular vulnerability, CVE-2023-1389, is a high-risk security lapse affecting TP-Link Archer AX-21 models, making them susceptible to command injection, which in turn paves the way for arbitrary code execution.
Traces of exploitation for this vulnerability date back to April 2023, when unknown threat actors weaponized it to deploy Mirai-based malware. Since then, it has been leveraged to distribute additional malicious software strains such as Condi and AndroxGh0st.
Chronology of the Attack Campaign
Cato CTRL pinpointed Ballista’s activity on January 10, 2025, with the latest observed exploitation attempt surfacing on February 17.
The infection chain revolves around the deployment of a malware installer—a shell script named dropbpb.sh—orchestrated to retrieve and execute the principal malware binary across diverse system architectures, including mips, mipsel, armv5l, armv7l, and x86_64.
Upon activation, the malware initiates an encrypted command-and-control (C2) channel on port 82, granting remote operatives clandestine dominion over the compromised router.
“This enables attackers to execute shell commands, further escalate remote code execution, and facilitate denial-of-service (DoS) offensives,” the researchers emphasized. “Moreover, the malware actively seeks out sensitive files housed within the local system.”
Ballista’s Malicious Command Arsenal
The botnet’s operational capabilities include, but are not limited to:
- flooder – Initiates network flooding assaults.
- exploiter – Abuses CVE-2023-1389 to infiltrate additional devices.
- start – A supplementary argument utilized with exploiter to commence exploitation.
- close – Deactivates the module’s execution.
- shell – Executes arbitrary Linux commands on the infected system.
- killall – Terminates running services associated with the malware.
Notably, Ballista is engineered to neutralize previous instances of itself while erasing forensic traces post-execution. Additionally, it exhibits worm-like behavior, spreading laterally by leveraging the same vulnerability across other susceptible TP-Link devices.
Possible Attribution and Evolution
Forensic clues—including the C2 IP address (2.237.57[.]70) and Italian-language artifacts within the malware’s code—hint at the involvement of an unidentified Italian-speaking cybercriminal entity, as per Cato CTRL’s analysis.
Interestingly, Ballista appears to be in an active developmental phase, with attackers shifting their C2 infrastructure away from the previously hardcoded IP address in favor of TOR network domains, suggesting an effort to bolster operational stealth and resilience.
Global Infection Scope and Target Sectors
A comprehensive scan via Censys, an attack surface management platform, reveals that over 6,000 devices have been enslaved by Ballista, with hotspots concentrated in Brazil, Poland, the United Kingdom, Bulgaria, and Turkey.
The botnet’s targets span critical industries, including manufacturing, healthcare, technology, and service sectors across major economies such as the United States, Australia, China, and Mexico.
“Despite certain resemblances to notorious botnets like Mirai and Mozi, Ballista maintains a unique operational footprint, distinguishing itself from widely recognized malware strains,” the researchers concluded.
With the malware still undergoing refinements and expanding its reach, security experts strongly advise immediate firmware updates and stringent network defenses to mitigate the risk posed by this evolving cyber menace.
