- Old TP-Link Router Flaw is again mistreated
- Threat actors build a botnet named Ballista
- They operate in Italy
Italian pirates abuse a vulnerability of the TP-Link archer routers to broadcast a new botnet, cybersecurity experts from the Cato network reported.
The researchers said they had observed an undeclared unornowgified unoriented world bott, which began to spread in early 2025.
The botnet uses a vulnerability of remote code execution (RCE) in routers, followed as CVE-2023-1389.
Manufacturing, health care and technology targets
This vulnerability has also been used for the construction of botnet in the past. Techradar Pro has repeatedly reported on several groups targeting this particular defect, including the formidable Mirai. Reports were published in 2023 and 2024.
For this campaign, Cato says that attackers first try to drop a bash script which serves as a pay-up account that offers malware. The botnet then went to the use of the TOR domains to be more stealthy, perhaps after seeing a meticulous examination of cybersecurity researchers.
“Once executed, the malicious software configures an encrypted control and control TLS channel (C2) on port 82, which is used to fully control the compromise device,” said Cato in his writing. “This allows shell orders during execution to carry out RCE and denial of service (back) attacks. In addition, malware is trying to read sensitive files on the local system. »»
As for the attribution, Cato believes: “with moderate confidence” that the threat actor is based in Italian, because the IP addresses discovered come from this country. In addition, they discovered Italian strings in the binary, which encouraged them to nickname the “Ballista” botnet.
The Ballista Botnet mainly targets manufacturing, medical and health, services and technology organizations around the world, in the United States, Australia, China and Mexico. With more than 6,000 vulnerable devices connected to the Internet, Cato suggests that the attack surface is relatively large and that attacks are still in progress.
The best way to defend yourself against Ballista is to update the TP-Link Archer routers. The company addressed this problem in version 1.1.4 of the firmware version 20230219.
Via The Hacker News
