Summary: A new botnet campaign named Ballista targets unpatched TP-Link Archer routers through a high-severity vulnerability (CVE-2023-1389), allowing remote code execution. The botnet has been active since January 10, 2025, exploiting routers to deploy various malware including the Mirai and AndroxGh0st families. Researchers have linked the campaign to an unidentified Italian threat actor and identified over 6,000 infected devices across multiple countries.
Affected: TP-Link Archer routers
Keypoints :
- The botnet exploits a remote code execution vulnerability, CVE-2023-1389, allowing automated spreading and various attacks.
- Infections are primarily located in Brazil, Poland, the UK, Bulgaria, and Turkey, affecting sectors like manufacturing and healthcare.
- The botnetβs command-and-control mechanism uses an encrypted channel, and the malware is designed for active development with evolving strategies for propagation.
Source: https://thehackernews.com/2025/03/ballista-botnet-exploits-unpatched-tp.html