- Old TP-Link Router Fold is being abused again
- Threat actors are building a boat called ballista
- They are operating from Italy
Italian computer pirates are abusing vulnerability in the Archer TP-Link routors to spread a new botnet, Cybersecurity experts of Cato Network reported.
The researchers said they observed a global internet botnet campaign (IoT) previously not reported, which began to spread in the first days of 2025.
The Botnet exploits a vulnerability of remote code execution (RCE) in the routers, tracked as CVE-2023-1389.
Manufacturing, medical care and technology objectives
This vulnerability has also been exploited for the construction of Botnet in the past. Techradar Pro, on numerous occasions, has reported on multiple groups aimed at this particular defect, including the dreaded Mirai. The reports came out both in 2023 and 2024.
For this campaign, Cato says that the attackers first try to release a script bash that serves as a dropper of payload offered by malware. The button later changed to the use of Tor domains to be more stealthy, possibly after seeing a greater scrutiny of cybersecurity researchers.
“Once executed, the malware establishes a TLS (C2) encrypted control channel in port 82, which is used to completely control the committed device,” Cato said in his article. “This allows you to execute Shell commands to carry out more RCE and denial attacks (two). In addition, malware tries to read confidential files in the local system. “
As for the attribution, Cato believes, “with moderate confidence” that the threat actor is in the Italian, since the discovered IP addresses originate in that country. In addition, they discovered Italian ropes in the binary, which led them to bend the “ballist” boat.
The Ballista Botnet is mainly directed to manufacturing, medical and health, services and technology organizations around the world, namely in the United States, Australia, China and Mexico. Cato suggests that the attack surface is relatively large and that the attacks are still ongoing.
The best way to defend against Ballista is to update the TP-Link Archer routers. The company addressed this problem in the firmware version 1.1.4 Build 20230219.
Through The hacker news
