Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices

Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista, according to new findings from the Cato CTRL team.

“The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet,” security researchers Ofek Vardi and Matan Mittelman said in a technical report shared with The Hacker News.

CVE-2023-1389 is a high-severity security flaw impacting TP-Link Archer AX-21 routers that could lead to command injection, which could then pave the way for remote code execution.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The earliest evidence of active exploitation of the flaw dates back to April 2023, with unidentified threat actors using it to drop Mirai botnet malware. Since then, it has also been abused to propagate other malware families like Condi and AndroxGh0st.

Cato CTRL said it detected the Ballista campaign on January 10, 2025. The most recent exploitation attempt was recorded on February 17.

The attack sequence entails the use of a malware dropper, a shell script (“dropbpb.sh”) that’s designed to fetch and execute the main binary on the target system for various system architectures such as mips, mipsel, armv5l, armv7l, and x86_64.

Once executed, the malware establishes an encrypted command-and-control (C2) channel on port 82 in order to take control of the device.

“This allows running shell commands to conduct further RCE and denial-of-service (DoS) attacks,” the researchers said. “In addition, the malware attempts to read sensitive files on the local system.”

Some of the supported commands are listed below –

• flooder, which triggers a flood attack
• exploiter, which exploits CVE-2023-1389
• start, an optional parameter that is used with the exploiter to start the module
• close, which stops the module triggering function
• shell, which runs a Linux shell command on the local system.
• killall, which is used to terminate the service

In addition, it’s capable of terminating previous instances of itself and erasing its own presence once execution begins. It’s also designed to spread to other routers by attempting to exploit the flaw.

The use of the C2 IP address location (2.237.57[.]70) and the presence of Italian language strings in the malware binaries suggests the involvement of an unknown Italian threat actor, the cybersecurity company said.

That said, it appears the malware is under active development given that the IP address is no longer functional and there exists a new variant of the dropper that utilizes TOR network domains instead of a hard-coded IP address.

A search on attack surface management platform Censys reveals that more than 6,000 devices are infected by Ballista. The infections are concentrated around Brazil, Poland, the United Kingdom, Bulgaria, and Turkey.

The botnet has been found to target manufacturing, medical/healthcare, services, and technology organizations in the United States, Australia, China, and Mexico.

“While this malware sample shares similarities with other botnets, it remains distinct from widely used botnets such as Mirai and Mozi,” the researchers said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.