Ballista Botnet Exploits TP-Link Archer Router Vulnerability in Global Cyberattack

A newly identified botnet campaign, dubbed Ballista, has been actively targeting unpatched TP-Link Archer routers, according to cybersecurity researchers from Cato CTRL. The campaign exploits CVE-2023-1389, a remote code execution (RCE) vulnerability in TP-Link Archer AX-21 routers, enabling attackers to inject malicious commands and take full control of compromised devices.

Ballista Botnet Spreading via Router Exploits

The CVE-2023-1389 flaw, initially exploited as early as April 2023, has been previously leveraged by cybercriminals to deploy various malware strains, including Mirai, Condi, and AndroxGh0st. The Ballista campaign was first detected on January 10, 2025, with the most recent attack observed on February 17, 2025.

The attack begins with the deployment of a malware dropper—a shell script named "dropbpb.sh"—which downloads and executes the main payload across multiple system architectures, including mips, mipsel, armv5l, armv7l, and x86_64. Once active, the malware establishes an encrypted command-and-control (C2) connection on port 82, allowing attackers to execute further commands, conduct denial-of-service (DoS) attacks, and access sensitive system files.

Key Capabilities of the Ballista Botnet

The botnet comes with several built-in commands, including:

• flooder – Initiates a flood attack
• exploiter – Uses the CVE-2023-1389 exploit for propagation
• start – Activates the exploit module
• close – Stops an active module
• shell – Executes Linux shell commands
• killall – Terminates the malware's own service

Additionally, Ballista is designed to self-replicate by exploiting other vulnerable routers, eliminate previous instances of itself, and erase traces of its presence upon execution.

Italian Cybercriminals Suspected Behind Ballista

Researchers found Italian language strings embedded in the malware binaries, along with a C2 server linked to an Italian IP address (2.237.57[.]70), suggesting the involvement of an unidentified Italian threat actor. However, recent developments indicate that the botnet is evolving, as the C2 server has since gone offline, and new variants of the malware now leverage TOR network domains instead of hardcoded IPs.

Global Impact and Targeted Sectors

An analysis of vulnerable devices using the Censys attack surface management platform estimates that over 6,000 routers are at risk, primarily in Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. The botnet has been observed targeting critical sectors, including:

• Manufacturing
• Healthcare
• Technology
• Service industries

Notably, organizations in the United States, Australia, China, and Mexico have been affected.

Ballista’s Unique Threat Profile

While Ballista shares similarities with other botnets, researchers emphasize that it remains distinct from widely known botnets such as Mirai and Mozi. Its ability to autonomously spread through vulnerable routers, execute remote commands, and evade detection makes it a significant cybersecurity threat.

Security experts strongly advise patching TP-Link Archer AX-21 routers and implementing proactive threat monitoring to mitigate the risk of infection.