This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
(Image credit: Getty Images)

  • Old TP-Link router flaw is being abused again
  • The threat actors are building out a botnet named Ballista
  • They are operating from Italy

Italian hackers are abusing a vulnerability in TP-Link Archer routers to spread a new botnet, cybersecurity experts from Cato Network have reported.

The researchers said they observed a previously unreported global internet-of-things (IoT) botnet campaign, which started to spread in the early days of 2025.

The botnet exploits a remote code execution (RCE) vulnerability in the routers, tracked as CVE-2023-1389.

Manufacturing, healthcare, and tech targets

This vulnerability has been exploited for botnet building in the past as well. TechRadar Pro has, on numerous occasions, reported about multiple groups targeting this particular flaw, including the dreaded Mirai. Reports were coming out in both 2023 and 2024.

For this campaign, Cato says that the attackers first try to drop a bash script which serves as a payload dropper that delivers the malware. The botnet later switched to the use of Tor domains to be stealthier, possibly after seeing increased scrutiny from cybersecurity researchers.

“Once executed, the malware sets up a TLS encrypted command and control (C2) channel on port 82, which is used to fully control the compromised device,” Cato said in its writeup. “This allows running shell commands to conduct further RCE and denial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.”

As for attribution, Cato believes, “with moderate confidence” that the threat actor is Italian-based, since the IP addresses discovered originate in that country. Furthermore, they discovered Italian strings in the binary, which prompted them to dub the botnet “Ballista”.

The Ballista botnet targets mostly manufacturing, medical and healthcare, services, and technology organizations all over the world, namely in the US, Australia, China, and Mexico. With more than 6,000 internet-connected, vulnerable devices, Cato suggests that the attack surface is relatively large and that the attacks are still ongoing.

The best way to defend against Ballista is to update the TP-Link Archer routers. The company addressed this issue in firmware version 1.1.4 Build 20230219.

Via The Hacker News

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
TP-Link and NR routers targeted by worrying new botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Industrial routers are being hit by zero-days from new Mirai botnets
botnet
Another top security camera maker is seeing devices hijacked into botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Dangerous new botnet targets webcams, routers across the world
DDoS attack
Juniper Networks warns Mirai botnet is back and targeting new devices
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)