• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Security
  • New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Pierluigi Paganini March 12, 2025

The Ballista botnet is exploiting an unpatched TP-Link vulnerability, targeting over 6,000 Archer routers, Cato CTRL researchers warn.

Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers.

The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.

The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. 

Since early 2025, Cato CTRL has tracked the Ballista botnet targeting TP-Link Archer routers via CVE-2023-1389. The botnet spreads automatically using a remote code execution (RCE) flaw. TP-Link devices have faced scrutiny, with U.S. agencies considering a ban over security concerns linked to China. The researchers first detected the botnet on January 10, then it evolved by using Tor domains for stealth. The most recent attack attempt occurred on February 17.

“As part of its initial access vector, the Ballista botnet exploits CVE-2023-1389. This vulnerability in the TP-Link Archer router’s web management interface (T1190) stems from the lack of sanitization of user input in the country form of the /cgi-bin/luci;stok=/locale endpoint, resulting in unauthenticated command execution (T1059.004) with root privileges.” reads the Cato report. “The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised device.”

The payload installs a dropper using a bash one-liner that downloads the file from an attacker-controlled server (2.237.57[.]70) via HTTP on port 81. It grants full permissions and executes it as a background process. Once executed, the dropper deletes itself from disk and moves to other directories to download and run the malware. The process includes persistence, system exploration, and anti-detection techniques to maintain control over infected devices.

The malware kills previous instances, deletes itself to evade detection, reads system configuration files, and establishes an encrypted C2 channel on port 82. It spreads by exploiting CVE-2023-1389 and can execute remote shell commands or launch DoS/DDoS attacks when instructed by the C2 server.

The malware’s C2 commands include “shell” for executing bash commands and “flooder” for launching attacks. The shell module enables backdoor access for data exfiltration and persistence. The flooder module, triggered by specific parameters, continuously spawns new threads for attack execution. It processes encrypted data over a RAW socket, limiting further analysis. The malware’s modular design suggests support for multiple flood attack types, though only one has been identified.

Cato links the Ballista botnet to an Italian-based threat actor, the attribution is based on an Italian IP address and strings in Italian in the code. Named after the ancient Roman weapon, Ballista targets TP-Link Archer routers and has affected manufacturing, healthcare, services, and tech sectors in the U.S., Australia, China, and Mexico. A Censys search found over 6,500 vulnerable devices online. The botnet remains active, using advanced C2 protocols, discovery techniques, and DoS capabilities to control infected systems.

“IoT devices have been constantly targeted by threat actors for multiple reasons” concludes the report. “Proactive identification and management of IoT devices within an organization’s network remain essential for mitigating risk and ensuring the resilience of critical infrastructure.”.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ballista botnet)


facebook linkedin twitter

Ballista botnet Cybercrime Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 23, 2025
Microsoft linked attacks on SharePoint flaws to China-nexus actors
Read more
Pierluigi Paganini July 22, 2025
Cisco confirms active exploitation of ISE and ISE-PIC flaws
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT