Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

New Botnet Targets Unpatched TP-Link Routers

March 12, 2025
Reading Time: 3 mins read
in Alerts
Sola Security Raises $30M for AI Platform

A new botnet campaign known as Ballista is targeting vulnerable TP-Link Archer routers, exploiting a severe vulnerability (CVE-2023-1389) to conduct remote code execution attacks. This critical flaw affects TP-Link Archer AX-21 routers and has been actively exploited since April 2023. The Ballista botnet uses this vulnerability to drop Mirai and other types of malware onto infected devices. The latest evidence of this attack was recorded on February 17, 2025, following its discovery by the Cato CTRL team in January 2025. The flaw allows unauthorized access and control of routers, enabling further exploitation across the internet.

Ballista operates by utilizing a malware dropper called “dropbpb.sh” that installs a primary binary onto affected devices. The malware dropper supports various system architectures, including mips, arm, and x86_64. Once the malware is executed, it establishes an encrypted command-and-control (C2) channel on port 82, allowing attackers to control the infected router remotely. This control can enable further exploitation through shell commands, denial-of-service (DoS) attacks, and the extraction of sensitive files from the device. The botnet is also designed to delete itself and eliminate previous instances once it has executed its functions, ensuring its continued persistence and spread to other vulnerable routers.

The Ballista campaign is linked to a C2 IP address (2.237.57[.]70) and shows evidence of Italian-language strings within its malware binaries.

These clues suggest that an unknown Italian threat actor may be behind the botnet, although it remains unclear whether this actor is a lone entity or part of a larger network. Since the C2 IP address is no longer functional, researchers believe the botnet is still under development, with the newest variants of the malware using the TOR network instead of hardcoded IP addresses.

This ongoing development highlights the evolving tactics of cybercriminals and their increasing sophistication in avoiding detection.

With over 6,000 devices currently targeted by Ballista, the botnet’s reach is widespread, impacting countries like Brazil, Poland, the UK, Bulgaria, and Turkey. Affected industries include healthcare, technology, manufacturing, and services, especially across regions such as the United States, Australia, China, and Mexico. The attack’s spread highlights the global scope of the threat, with the botnet targeting key sectors that rely heavily on internet-connected devices. Despite similarities to older botnets like Mirai, Ballista’s advanced techniques and adaptability make it a unique and potent threat. Researchers continue to study its development, and efforts to mitigate its impact are ongoing.

What’s a botnet?

A botnet is a network of compromised computers, known as bots or zombies, controlled remotely by cybercriminals to launch large-scale cyberattacks. These networks are commonly used for DDoS attacks, credential stuffing, spam distribution, and malware propagation. Hackers infect devices through malware, phishing, or unpatched vulnerabilities, silently turning them into part of the botnet. Popular botnets like Mirai and Emotet have caused widespread damage, targeting businesses, governments, and individuals. To protect against botnets, users should enable firewalls, update software, and use strong security tools. Stay informed on cyber threats and botnet protection to keep your systems safe.

Reference:
  • Ballista Botnet Targets Vulnerable TP-Link Routers for Remote Code Execution Attacks
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMarch 2025
ADVERTISEMENT

Related Posts

FreeDrain Phishing Steals Crypto Funds

FBI Warns Cybercriminals Exploit Routers

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

X Scam Targets Crypto Users with Fake Ads

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

FreeDrain Phishing Steals Crypto Funds

May 9, 2025
COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial