Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices

A new botnet campaign called Ballista is actively targeting unpatched TP-Link Archer routers by exploiting CVE-2023-1389, a high-severity remote code execution vulnerability. First detected on January 10, 2025, with the most recent exploitation attempt recorded on February 17, the campaign uses a malware dropper script that fetches and executes the main binary on target systems across multiple architectures. Once installed, the malware establishes an encrypted command-and-control channel on port 82, allowing attackers to run shell commands for further attacks, read sensitive files, and spread to other vulnerable routers. The botnet supports various commands including flood attacks, exploitation of the vulnerability, and running shell commands on infected systems. Over 6,000 devices are currently infected, primarily in Brazil, Poland, the UK, Bulgaria, and Turkey, with organizations in manufacturing, healthcare, services, and technology sectors in the US, Australia, China, and Mexico being targeted. Analysis of the malware code suggests possible links to an Italian threat actor, though the botnet appears to be under active development with newer variants using TOR network domains instead of hard-coded IP addresses.