FlagThis

The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.

This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.

ImgSrc: www.catonetwork

References :

• bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
• Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
• securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
• Cato Networks: Cato CTRLâ„¢ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
• The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices

Classification:

• HashTags: #IoT #Botnet #Malware
• Company: TP-Link
• Target: TP-Link Archer Routers
• Product: Archer
• Feature: RCE
• Malware: Ballista
• Type: Botnet
• Severity: Medium