This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked

News
By published

An old router vulnerability is being abused in botnet building again

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
(Image credit: Getty Images)
  • Old TP-Link router flaw is being abused again
  • The threat actors are building out a botnet named Ballista
  • They are operating from Italy

Italian hackers are abusing a vulnerability in TP-Link Archer routers to spread a new botnet, cybersecurity experts from Cato Network have reported.

The researchers said they observed a previously unreported global internet-of-things (IoT) botnet campaign, which started to spread in the early days of 2025.

The botnet exploits a remote code execution (RCE) vulnerability in the routers, tracked as CVE-2023-1389.

Manufacturing, healthcare, and tech targets

This vulnerability has been exploited for botnet building in the past as well. TechRadar Pro has, on numerous occasions, reported about multiple groups targeting this particular flaw, including the dreaded Mirai. Reports were coming out in both 2023 and 2024.

For this campaign, Cato says that the attackers first try to drop a bash script which serves as a payload dropper that delivers the malware. The botnet later switched to the use of Tor domains to be stealthier, possibly after seeing increased scrutiny from cybersecurity researchers.

“Once executed, the malware sets up a TLS encrypted command and control (C2) channel on port 82, which is used to fully control the compromised device,” Cato said in its writeup. “This allows running shell commands to conduct further RCE and denial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.”

As for attribution, Cato believes, “with moderate confidence” that the threat actor is Italian-based, since the IP addresses discovered originate in that country. Furthermore, they discovered Italian strings in the binary, which prompted them to dub the botnet “Ballista”.

The Ballista botnet targets mostly manufacturing, medical and healthcare, services, and technology organizations all over the world, namely in the US, Australia, China, and Mexico. With more than 6,000 internet-connected, vulnerable devices, Cato suggests that the attack surface is relatively large and that the attacks are still ongoing.

The best way to defend against Ballista is to update the TP-Link Archer routers. The company addressed this issue in firmware version 1.1.4 Build 20230219.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.