• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

The FBI warns that Scattered Spider is now targeting the airline sector

 | 

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Security
  • New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Pierluigi Paganini March 12, 2025

The Ballista botnet is exploiting an unpatched TP-Link vulnerability, targeting over 6,000 Archer routers, Cato CTRL researchers warn.

Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers.

The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.

The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. 

Since early 2025, Cato CTRL has tracked the Ballista botnet targeting TP-Link Archer routers via CVE-2023-1389. The botnet spreads automatically using a remote code execution (RCE) flaw. TP-Link devices have faced scrutiny, with U.S. agencies considering a ban over security concerns linked to China. The researchers first detected the botnet on January 10, then it evolved by using Tor domains for stealth. The most recent attack attempt occurred on February 17.

“As part of its initial access vector, the Ballista botnet exploits CVE-2023-1389. This vulnerability in the TP-Link Archer router’s web management interface (T1190) stems from the lack of sanitization of user input in the country form of the /cgi-bin/luci;stok=/locale endpoint, resulting in unauthenticated command execution (T1059.004) with root privileges.” reads the Cato report. “The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised device.”

The payload installs a dropper using a bash one-liner that downloads the file from an attacker-controlled server (2.237.57[.]70) via HTTP on port 81. It grants full permissions and executes it as a background process. Once executed, the dropper deletes itself from disk and moves to other directories to download and run the malware. The process includes persistence, system exploration, and anti-detection techniques to maintain control over infected devices.

The malware kills previous instances, deletes itself to evade detection, reads system configuration files, and establishes an encrypted C2 channel on port 82. It spreads by exploiting CVE-2023-1389 and can execute remote shell commands or launch DoS/DDoS attacks when instructed by the C2 server.

The malware’s C2 commands include “shell” for executing bash commands and “flooder” for launching attacks. The shell module enables backdoor access for data exfiltration and persistence. The flooder module, triggered by specific parameters, continuously spawns new threads for attack execution. It processes encrypted data over a RAW socket, limiting further analysis. The malware’s modular design suggests support for multiple flood attack types, though only one has been identified.

Cato links the Ballista botnet to an Italian-based threat actor, the attribution is based on an Italian IP address and strings in Italian in the code. Named after the ancient Roman weapon, Ballista targets TP-Link Archer routers and has affected manufacturing, healthcare, services, and tech sectors in the U.S., Australia, China, and Mexico. A Censys search found over 6,500 vulnerable devices online. The botnet remains active, using advanced C2 protocols, discovery techniques, and DoS capabilities to control infected systems.

“IoT devices have been constantly targeted by threat actors for multiple reasons” concludes the report. “Proactive identification and management of IoT devices within an organization’s network remain essential for mitigating risk and ensuring the resilience of critical infrastructure.”.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ballista botnet)


facebook linkedin twitter

Ballista botnet Cybercrime Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 02, 2025
Cisco removed the backdoor account from its Unified Communications Manager
Read more
Pierluigi Paganini July 02, 2025
U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Cisco removed the backdoor account from its Unified Communications Manager

    Security / July 02, 2025

    U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

    Cyber Crime / July 02, 2025

    Qantas confirms customer data breach amid Scattered Spider attacks

    Cyber Crime / July 02, 2025

    CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

    Hacking / July 02, 2025

    U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 02, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT