This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked

News
By published

An old router vulnerability is being abused in botnet building again

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
(Image credit: Getty Images)
  • Old TP-Link router flaw is being abused again
  • The threat actors are building out a botnet named Ballista
  • They are operating from Italy

Italian hackers are abusing a vulnerability in TP-Link Archer routers to spread a new botnet, cybersecurity experts from Cato Network have reported.

The researchers said they observed a previously unreported global internet-of-things (IoT) botnet campaign, which started to spread in the early days of 2025.

The botnet exploits a remote code execution (RCE) vulnerability in the routers, tracked as CVE-2023-1389.

Manufacturing, healthcare, and tech targets

This vulnerability has been exploited for botnet building in the past as well. TechRadar Pro has, on numerous occasions, reported about multiple groups targeting this particular flaw, including the dreaded Mirai. Reports were coming out in both 2023 and 2024.

For this campaign, Cato says that the attackers first try to drop a bash script which serves as a payload dropper that delivers the malware. The botnet later switched to the use of Tor domains to be stealthier, possibly after seeing increased scrutiny from cybersecurity researchers.

“Once executed, the malware sets up a TLS encrypted command and control (C2) channel on port 82, which is used to fully control the compromised device,” Cato said in its writeup. “This allows running shell commands to conduct further RCE and denial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.”

As for attribution, Cato believes, “with moderate confidence” that the threat actor is Italian-based, since the IP addresses discovered originate in that country. Furthermore, they discovered Italian strings in the binary, which prompted them to dub the botnet “Ballista”.

The Ballista botnet targets mostly manufacturing, medical and healthcare, services, and technology organizations all over the world, namely in the US, Australia, China, and Mexico. With more than 6,000 internet-connected, vulnerable devices, Cato suggests that the attack surface is relatively large and that the attacks are still ongoing.

The best way to defend against Ballista is to update the TP-Link Archer routers. The company addressed this issue in firmware version 1.1.4 Build 20230219.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
TP-Link and NR routers targeted by worrying new botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Industrial routers are being hit by zero-days from new Mirai botnets
botnet
Another top security camera maker is seeing devices hijacked into botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Dangerous new botnet targets webcams, routers across the world
DDoS attack
Juniper Networks warns Mirai botnet is back and targeting new devices
Latest in Security
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Latest in News
Elayne, Egwene, and Nynaeve dressed regally and on horseback in The Wheel of Time season 3
'There's a reason why we do it': The Wheel of Time showrunner responds to fans who are still upset over the Prime Video show's plot alterations
Google Pixel 9
Android 16 could bring an improved Samsung DeX-style desktop mode to more phones
An Nvidia GeForce RTX 4060 Ti
Nvidia could unleash RTX 5060 and 5060 Ti GPUs on PC gamers tomorrow, but there’s no sign of rumored RTX 5050 yet
AI writing
ChatGPT just wrote the most beautiful short story, and I wonder what I'm even doing here
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Project Moohan prototype at Samsung Galaxy Unpacked, an XR goggles headset on display in a show area
Samsung's Android XR headset could avoid the Apple Vision Pro's biggest mistake, according to this leak
More about security
Trump

Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
Avast cybersecurity

UK cybersecurity sector could be worth £13bn, research shows
NYT Strands homescreen on a mobile phone screen, on a light blue background

NYT Strands hints and answers for Thursday, March 13 (game #375)
See more latest
Most Popular
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Thursday, March 13 (game #375)
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Thursday, March 13 (game #641)
Quordle on a smartphone held in a hand
Quordle hints and answers for Thursday, March 13 (game #1144)
Elayne, Egwene, and Nynaeve dressed regally and on horseback in The Wheel of Time season 3
'There's a reason why we do it': The Wheel of Time showrunner responds to fans who are still upset over the Prime Video show's plot alterations
An Nvidia GeForce RTX 4060 Ti
Nvidia could unleash RTX 5060 and 5060 Ti GPUs on PC gamers tomorrow, but there’s no sign of rumored RTX 5050 yet
AI writing
ChatGPT just wrote the most beautiful short story, and I wonder what I'm even doing here
Google Pixel 9
Android 16 could bring an improved Samsung DeX-style desktop mode to more phones
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads