A new botnet campaign is exploiting a high-severity security flaw in unpatched TP-Link routers and has already spread to more than 6,000 devices.
According to a new report from the Cato CTRL team, the Ballista botnet exploits a remote code execution vulnerability that directly impacts the TP-Link Archer AX-21 router.
The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.
Ballista’s most recent exploitation attempt was February 17, 2025 and Cato CTRL first detected it on January 10, 2025.
Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.
How does Ballista attack
The attack sequence is as follows: it starts with a malware dropper, then a shell script designed to fetch and execute the main binary on the target system for various system architectures. When executed, the malware establishes a command-and-control (C2) channel on port 82 to take control of the device.
This allows the malware to run shell commands to conduct further remote code execution and Denial of Service (DoS) attacks; it will also attempt to read sensitive files on the system.
Supported commands include flooder (triggers a flood attack), exploiter (which exploits CVE-2023-1389), start (an optional parameter used with the exploiter to start the module), close (stops the module triggering function), shell (runs a Linux shell command on the local system) and killall (used to terminate the service).
The Ballista malware is additionally capable of terminating previous instances of itself – and erasing its own presence once execution begins. It’s designed to spread to other routers by attempting to exploit the flaw.
Since both the IP address and language used have an Italian base, the cybersecurity researchers have suggested that the threat actor is of an unknown Italian origin. However, the initial IP address used is no longer functional having been replaced by a new variant utilizing TOR network domains. This all indicates that the malware is under active development.