A concerning bot network attacks vulnerable TP-Link routers.
An old vulnerability in routers is being exploited again for the creation of botnets.
Cybersecurity researchers have alerted about a new botnet campaign being perpetrated by Italian hackers, who are exploiting an existing vulnerability in TP-Link Archer routers. This new group, named Ballista, is using a remote code execution (RCE) flaw identified as CVE-2023-1389, which allows control over compromised devices.
It has been observed that the campaign began developing in the early days of 2025 and appears to be part of a broader effort to create a botnet from Internet of Things (IoT) devices. The same vulnerability has been previously used in attacks, highlighting its relevance in the cybersecurity landscape. Various groups, including the notorious Mirai, have previously attempted to exploit this flaw.
In this campaign's development, the attackers use a bash script as a payload dropper, meaning they first deliver the malware. After an initial phase, the botnet began incorporating Tor domains, aiming to operate more covertly in response to surveillance by cybersecurity researchers.
Once the malware is executed, an encrypted command and control (C2) channel is established over port 82, allowing complete management of the compromised device. This situation enables the execution of more complex commands, including additional remote code execution and denial-of-service (DoS) attacks. Additionally, the malware is capable of reading sensitive files from the affected system.
Cato Networks, the entity responsible for the observations, has expressed that, with "moderate confidence," it believes the group behind this criminal activity operates from Italy, based on associated IP addresses and the presence of Italian text strings within the malware code. The Ballista botnet has primarily targeted organizations in manufacturing, healthcare, services, and technology sectors worldwide, including the United States, Australia, China, and Mexico, with over 6,000 vulnerable devices identified.
To mitigate the risks posed by Ballista, it is recommended to update TP-Link Archer routers to firmware version 1.1.4 Build 20230219, which addresses this vulnerability.
