New IoT botnet “Ballista” attacks TP-Link routers

Security researchers from the threat research team at Cato Networks have identified a new threat: the IoT botnet “Ballista”. This malware exploits a serious vulnerability in TP-Link Archer routers to spread unhindered across the internet.

The AX21 model (also known as AX1800) is particularly affected. The vulnerability with the identifier CVE-2023-1389 results from insufficient input validation in the router’s web interface. This allows attackers to execute malicious commands with root privileges and take control of the device.

Why are IoT devices a worthwhile target?

Networked devices have been the focus of cybercriminals for years. Routers in particular are popular because they often use outdated software and rarely receive security updates. Many users neglect to update the firmware, which means that vulnerabilities often remain unprotected for a long time. Well-known botnets such as Mirai or Mozi have shown how easy it is to compromise IoT devices on a large scale, the researchers write.

Since the beginning of 2025, Cato CTRL has observed an increasing number of attacks on IoT devices. The “Ballista” campaign was first identified on January 10, and by February 17, the experts had registered numerous access attempts. The malware uses a dropper to download and execute malware. The attackers are constantly adapting their methods, for example by using Tor domains to conceal their tracks.

How does the Ballista botnet work?

After infecting a router, the malware establishes an encrypted command-and-control (C2) channel on port 82. This allows the attackers to completely control the device and leads to the following dangers, among others:

• Execution of any shell commands
• Implementation of denial-of-service (DoS) attacks
• Access to sensitive system files

In addition, the malware spreads further by infecting other TP-Link Archer routers with the same vulnerability. Its modular architecture enables the use of special functions such as an exploiter module for spreading and a flooder module for DDoS attacks.

Targets and origin of the attack

Organizations in the manufacturing, healthcare, services and technology sectors are particularly targeted by “Ballista”. The attacks have been observed in several countries, including the US, Australia, China and Mexico. A Censys search revealed that over 6,000 devices are potentially vulnerable. Cato suspects that the attack originated from an Italian threat actor. This assessment is based on an analysis of the C2 server IP and Italian language fragments in the malware.

Although “Ballista” has parallels to other botnets such as Mirai, it is an independent threat with specific attack methods.

Protection against IoT threats

The increasing number of attacks on IoT devices shows once again how urgently security measures are needed. Vulnerabilities such as CVE-2023-1389 make it clear that regular updates and security precautions are essential to prevent infections. Companies and private users should closely monitor IoT devices, consistently perform firmware updates and implement additional protective measures such as firewalls and network segmentation to secure their infrastructure.