Ballista Botnet Targets TP-Link Archer Routers, Spreading Rapidly Worldwide

Introduction

A newly discovered botnet, dubbed Ballista, is actively exploiting a critical remote code execution (RCE) vulnerability in unpatched TP-Link Archer AX21 routers. This vulnerability, tracked as CVE-2023-1389, allows attackers to remotely inject commands, giving them unauthorized control over affected devices.

Since its detection on January 10, 2025, Ballista has rapidly spread, compromising over 6,000 devices worldwide. The botnet has primarily targeted Brazil, Poland, the United Kingdom, Bulgaria, and Turkey, while also affecting organizations in the United States, Australia, China, and Mexico across multiple sectors, including manufacturing, healthcare, technology, and services.

How the Ballista Botnet Works

1. Initial Infection

• The botnet targets unpatched TP-Link Archer AX21 routers, exploiting the CVE-2023-1389 vulnerability.
• Attackers inject commands remotely, gaining full control over the router.

2. Malware Deployment

• Once compromised, the router downloads a malware dropper script named “dropbpb.sh”.
• This script fetches and executes the main botnet binary, which is designed to run on various system architectures, including:
  • mips
  • mipsel
  • armv5l
  • armv7l
  • x86_64

3. Command and Control (C2) Communication

• After execution, the malware establishes an encrypted communication channel on port 82.
• Through this channel, attackers can:
  • Run shell commands remotely
  • Conduct further RCE attacks
  • Launch denial-of-service (DoS) attacks

4. Self-Propagation and Data Extraction

• The malware attempts to read sensitive files on the local system.
• It spreads to other vulnerable routers by exploiting the same vulnerability (CVE-2023-1389).

Geographic Impact

Most Affected Countries

The Ballista botnet has been detected in multiple countries, with the highest concentration of infections in:

1. Brazil
2. Poland
3. United Kingdom
4. Bulgaria
5. Turkey

Targeted Sectors

The botnet has not only infected individual users but also targeted organizations in key industries:

• Manufacturing
• Healthcare
• Technology
• Service industries

Countries such as the United States, Australia, China, and Mexico have reported compromised corporate networks, raising concerns over data security and operational disruptions.

Possible Threat Actor Behind the Ballista Botnet

Potential Italian Connection

Cybersecurity analysts suggest that Ballista may be linked to an Italian-based threat actor based on:

• IP addresses of the command-and-control (C2) server, which are traced back to Italy.
• Italian language strings found in the malware’s binary code, suggesting that the developers might be Italian-speaking.

While definitive attribution is still under investigation, this evidence points toward a coordinated cybercriminal operation originating from Italy.

How to Protect Your Devices from the Ballista Botnet

To mitigate the risk posed by Ballista and similar botnets, users and organizations must take immediate action:

1. Update Firmware Immediately

• TP-Link has released firmware patches addressing CVE-2023-1389.
• Users must visit the official TP-Link website and update their Archer AX21 routers to the latest secure version.

2. Change Default Credentials

• Default usernames and passwords are common attack vectors.
• Use strong, unique passwords to prevent unauthorized access.

3. Disable Unnecessary Services

• Turn off unused services and remote management features to reduce attack surfaces.

4. Monitor Network Activity

• Regularly monitor network traffic for unusual spikes or unauthorized connections.
• Use intrusion detection systems (IDS) to identify suspicious activities.

5. Implement Firewalls & Security Tools

• Use firewall rules to restrict unauthorized access to the router.
• Deploy endpoint security solutions to detect and block malware activities.

Conclusion

The Ballista botnet represents a serious cyber threat, actively exploiting CVE-2023-1389 to compromise thousands of TP-Link Archer AX21 routers worldwide. With infections spreading rapidly and a potential link to Italian-based cybercriminals, organizations and individuals must act quickly to secure their devices.

By patching firmware, strengthening security settings, and monitoring network traffic, users can protect their routers from being hijacked and mitigate the risks of remote attacks. As cybercriminals continue to evolve their tactics, staying vigilant and proactive is the key to safeguarding digital infrastructures.