Exploitation of Vulnerability in TP-Link Archer Routers Sparks New Botnet Threat
Recent investigations by the Cato CTRL team have unveiled a botnet campaign known as Ballista, which specifically targets unpatched TP-Link Archer routers. The campaign takes advantage of a critical remote code execution (RCE) vulnerability designated as CVE-2023-1389, allowing the botnet to spread autonomously across the Internet.
According to security analysts Ofek Vardi and Matan Mittelman in a detailed report shared with The Hacker News, the vulnerability poses a considerable risk primarily to TP-Link Archer AX-21 routers, enabling malicious actors to execute commands remotely. The flaw’s exploitation is particularly alarming given its potential for extensive command injection attacks that could lead to full device compromise.
The earliest indications of this vulnerability being actively exploited date back to April 2023, when it was initially leveraged for deploying Mirai botnet malware. However, since that time, various other malware families, including Condi and AndroxGh0st, have also been reported using this exploit for propagation.
Cato CTRL’s monitoring efforts revealed the Ballista campaign’s emergence on January 10, 2025, with continual attempts to exploit the vulnerability noted through February 17. The attack vector primarily involves a malware dropper in the form of a shell script, designed to download and execute the main payload across a variety of system architectures.
Upon successful execution, the malware establishes an encrypted command-and-control (C2) channel on port 82, enabling attackers to issue shell commands and execute further RCE and denial-of-service (DoS) attacks. The malware’s capabilities extend to reading sensitive files from the compromised devices, raising serious concerns regarding data integrity and privacy.
Among its functional commands, the malware can initiate flooding attacks, exploit existing vulnerabilities, and terminate its processes—enabling it to evade detection. Notably, Ballista also shows an intent to proliferate by targeting other routers vulnerable to the same exploit.
The geographical targeting of this botnet appears widespread, with over 6,000 vulnerable devices identified primarily in regions such as Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. Organizations in the manufacturing, healthcare, services, and technology sectors across the United States, Australia, China, and Mexico are particularly at risk from this campaign.
Notably, the origins of the malware might be traced back to a yet unidentified Italian threat actor, as indicated by the presence of Italian language components within the malware’s binaries. Furthermore, the evolving nature of the malware suggests ongoing development, as indicated by the discontinuation of an earlier C2 IP address in favor of a version that utilizes TOR network domains, thus complicating attribution efforts.
This incident highlights significant tactics aligned with the MITRE ATT&CK framework, most prominently in areas concerning initial access through exploitation of the RCE vulnerability. The campaign illustrates persistent capabilities that allow for privilege escalation and further infiltration, underscoring the critical need for robust security measures to safeguard against such invasive threats.
In light of these developments, businesses and organizations operating in the affected regions should conduct immediate assessments of their network security protocols, particularly those utilizing TP-Link routing devices. Proactive patch management, endpoint monitoring, and strategic incident response planning remain paramount to mitigating the impact of such botnets in an increasingly interconnected world.
