Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
Summary:
The Ballista botnet is actively targeting unpatched TP-Link Archer routers by exploiting a remote code execution vulnerability (CVE-2023-1389). This high-severity flaw, affecting TP-Link Archer AX-21 routers, enables attackers to execute arbitrary commands and spread malware. The campaign, first detected by the Cato CTRL team on January 10, 2025, has continued to evolve, with the latest attack attempt recorded on February 17, 2025. Originally exploited in April 2023 to deploy Mirai botnet malware, CVE-2023-1389 has since been leveraged by multiple malware families, including Condi and AndroxGh0st. The Ballista botnet stands out due to its self-propagating nature, allowing it to spread autonomously by exploiting the same vulnerability on additional devices.
The infection process begins with an initial exploit that targets vulnerable routers. The malware dropper, is executed to fetch and run the primary malware binary, which supports multiple architectures such as mips, mipsel, armv5l, armv7l, and x86_64. Once executed, Ballista establishes an encrypted command-and-control channel over port 82, allowing attackers to issue remote commands. The malware is capable of executing shell commands, launching denial-of-service attacks, and reading sensitive files from infected systems. It also attempts to erase traces of its presence by terminating previous instances of itself and using persistence techniques to maintain control over compromised devices. Additionally, Ballista actively spreads by scanning for and exploiting CVE-2023-1389 on other routers.
The botnet includes several functionalities, including DDoS attack capabilities, a built-in exploiter module for CVE-2023-1389, and a remote shell for executing Linux commands. Key commands include flooder to launch DoS attacks, exploiter to abuse the vulnerability, shell to run arbitrary commands, and killall to terminate its own process. Researchers suspect an Italian threat actor is behind Ballista, as indicated by Italian-language strings in the malware binaries and the original C2 IP address pointing to Italy. However, the botnet is under active development, as newer variants have transitioned from a hardcoded IP address to utilizing TOR network domains, making it harder to track and disrupt.
Security Officer Comments:
A search using Censys, an attack surface management platform, has revealed that over 6,000 devices worldwide have been infected with Ballista. The most affected countries include Brazil, Poland, the United Kingdom, Bulgaria, and Turkey, while targeted organizations span industries such as manufacturing, medical/healthcare, services, and technology in regions including the United States, Australia, China, and Mexico. Although Ballista shares some characteristics with known botnets like Mirai and Mozi, researchers emphasize that it remains a distinct malware strain due to its unique features and evolving tactics.
Suggested Corrections:
To mitigate the risk of Ballista infections, TP-Link Archer router users should update their firmware immediately and disable remote management if not required. Organizations should monitor their networks for unusual outbound connections, particularly to port 82 or TOR-based C2 domains, and block unnecessary traffic. Security teams should also scan for malicious scripts, deploy intrusion detection systems to detect exploit attempts, and track emerging Ballista variants as its development progresses. As this botnet continues to evolve, proactive patching and continuous threat intelligence monitoring will be critical in defending against future attacks.
Link(s):
https://thehackernews.com/2025/03/ballista-botnet-exploits-unpatched-tp.html
The Ballista botnet is actively targeting unpatched TP-Link Archer routers by exploiting a remote code execution vulnerability (CVE-2023-1389). This high-severity flaw, affecting TP-Link Archer AX-21 routers, enables attackers to execute arbitrary commands and spread malware. The campaign, first detected by the Cato CTRL team on January 10, 2025, has continued to evolve, with the latest attack attempt recorded on February 17, 2025. Originally exploited in April 2023 to deploy Mirai botnet malware, CVE-2023-1389 has since been leveraged by multiple malware families, including Condi and AndroxGh0st. The Ballista botnet stands out due to its self-propagating nature, allowing it to spread autonomously by exploiting the same vulnerability on additional devices.
The infection process begins with an initial exploit that targets vulnerable routers. The malware dropper, is executed to fetch and run the primary malware binary, which supports multiple architectures such as mips, mipsel, armv5l, armv7l, and x86_64. Once executed, Ballista establishes an encrypted command-and-control channel over port 82, allowing attackers to issue remote commands. The malware is capable of executing shell commands, launching denial-of-service attacks, and reading sensitive files from infected systems. It also attempts to erase traces of its presence by terminating previous instances of itself and using persistence techniques to maintain control over compromised devices. Additionally, Ballista actively spreads by scanning for and exploiting CVE-2023-1389 on other routers.
The botnet includes several functionalities, including DDoS attack capabilities, a built-in exploiter module for CVE-2023-1389, and a remote shell for executing Linux commands. Key commands include flooder to launch DoS attacks, exploiter to abuse the vulnerability, shell to run arbitrary commands, and killall to terminate its own process. Researchers suspect an Italian threat actor is behind Ballista, as indicated by Italian-language strings in the malware binaries and the original C2 IP address pointing to Italy. However, the botnet is under active development, as newer variants have transitioned from a hardcoded IP address to utilizing TOR network domains, making it harder to track and disrupt.
Security Officer Comments:
A search using Censys, an attack surface management platform, has revealed that over 6,000 devices worldwide have been infected with Ballista. The most affected countries include Brazil, Poland, the United Kingdom, Bulgaria, and Turkey, while targeted organizations span industries such as manufacturing, medical/healthcare, services, and technology in regions including the United States, Australia, China, and Mexico. Although Ballista shares some characteristics with known botnets like Mirai and Mozi, researchers emphasize that it remains a distinct malware strain due to its unique features and evolving tactics.
Suggested Corrections:
To mitigate the risk of Ballista infections, TP-Link Archer router users should update their firmware immediately and disable remote management if not required. Organizations should monitor their networks for unusual outbound connections, particularly to port 82 or TOR-based C2 domains, and block unnecessary traffic. Security teams should also scan for malicious scripts, deploy intrusion detection systems to detect exploit attempts, and track emerging Ballista variants as its development progresses. As this botnet continues to evolve, proactive patching and continuous threat intelligence monitoring will be critical in defending against future attacks.
Link(s):
https://thehackernews.com/2025/03/ballista-botnet-exploits-unpatched-tp.html