- Old TP-Link router flaw is being abused again
- The threat actors are building out a botnet named Ballista
- They are operating from Italy
Italian hackers are abusing a vulnerability in TP-Link Archer routers to spread a new botnet, cybersecurity experts from Cato Network have reported.
The researchers said they observed a previously unreported global internet-of-things (IoT) botnet campaign, which started to spread in the early days of 2025.
The botnet exploits a remote code execution (RCE) vulnerability in the routers, tracked as CVE-2023-1389.
Manufacturing, healthcare, and tech targets
This vulnerability has been exploited for botnet building in the past as well. TechRadar Pro has, on numerous occasions, reported about multiple groups targeting this particular flaw, including the dreaded Mirai. Reports were coming out in both 2023 and 2024.
For this campaign, Cato says that the attackers first try to drop a bash script which serves as a payload dropper that delivers the malware. The botnet later switched to the use of Tor domains to be stealthier, possibly after seeing increased scrutiny from cybersecurity researchers.
“Once executed, the malware sets up a TLS encrypted command and control (C2) channel on port 82, which is used to fully control the compromised device,” Cato said in its writeup. “This allows running shell commands to conduct further RCE and denial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.”
As for attribution, Cato believes, “with moderate confidence” that the threat actor is Italian-based, since the IP addresses discovered originate in that country. Furthermore, they discovered Italian strings in the binary, which prompted them to dub the botnet “Ballista”.
The Ballista botnet targets mostly manufacturing, medical and healthcare, services, and technology organizations all over the world, namely in the US, Australia, China, and Mexico. With more than 6,000 internet-connected, vulnerable devices, Cato suggests that the attack surface is relatively large and that the attacks are still ongoing.
The best way to defend against Ballista is to update the TP-Link Archer routers. The company addressed this issue in firmware version 1.1.4 Build 20230219.
Via The Hacker News