A new botnet campaign known as Ballista is targeting vulnerable TP-Link Archer routers, exploiting a severe vulnerability (CVE-2023-1389) to conduct remote code execution attacks. This critical flaw affects TP-Link Archer AX-21 routers and has been actively exploited since April 2023. The Ballista botnet uses this vulnerability to drop Mirai and other types of malware onto infected devices. The latest evidence of this attack was recorded on February 17, 2025, following its discovery by the Cato CTRL team in January 2025. The flaw allows unauthorized access and control of routers, enabling further exploitation across the internet.
Ballista operates by utilizing a malware dropper called “dropbpb.sh” that installs a primary binary onto affected devices. The malware dropper supports various system architectures, including mips, arm, and x86_64. Once the malware is executed, it establishes an encrypted command-and-control (C2) channel on port 82, allowing attackers to control the infected router remotely. This control can enable further exploitation through shell commands, denial-of-service (DoS) attacks, and the extraction of sensitive files from the device. The botnet is also designed to delete itself and eliminate previous instances once it has executed its functions, ensuring its continued persistence and spread to other vulnerable routers.
The Ballista campaign is linked to a C2 IP address (2.237.57[.]70) and shows evidence of Italian-language strings within its malware binaries.
These clues suggest that an unknown Italian threat actor may be behind the botnet, although it remains unclear whether this actor is a lone entity or part of a larger network. Since the C2 IP address is no longer functional, researchers believe the botnet is still under development, with the newest variants of the malware using the TOR network instead of hardcoded IP addresses.
This ongoing development highlights the evolving tactics of cybercriminals and their increasing sophistication in avoiding detection.
With over 6,000 devices currently targeted by Ballista, the botnet’s reach is widespread, impacting countries like Brazil, Poland, the UK, Bulgaria, and Turkey. Affected industries include healthcare, technology, manufacturing, and services, especially across regions such as the United States, Australia, China, and Mexico. The attack’s spread highlights the global scope of the threat, with the botnet targeting key sectors that rely heavily on internet-connected devices. Despite similarities to older botnets like Mirai, Ballista’s advanced techniques and adaptability make it a unique and potent threat. Researchers continue to study its development, and efforts to mitigate its impact are ongoing.
What’s a botnet?
A botnet is a network of compromised computers, known as bots or zombies, controlled remotely by cybercriminals to launch large-scale cyberattacks. These networks are commonly used for DDoS attacks, credential stuffing, spam distribution, and malware propagation. Hackers infect devices through malware, phishing, or unpatched vulnerabilities, silently turning them into part of the botnet. Popular botnets like Mirai and Emotet have caused widespread damage, targeting businesses, governments, and individuals. To protect against botnets, users should enable firewalls, update software, and use strong security tools. Stay informed on cyber threats and botnet protection to keep your systems safe.
