Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Ilya Sutskever leads the CEO exit and secure close one

The Y Combinator alumni have launched a new $34 million fund dedicated to YC startups.

Trump administrator illegally killed gender-related health websites, court rules

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Ballista Botnet Exploits Patched TP-Link Vulnerability Infects Over 6,000 Devices
Identity

Ballista Botnet Exploits Patched TP-Link Vulnerability Infects Over 6,000 Devices

userBy userMarch 11, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 11, 2025Ravi LakshmananNetwork Security/Vulnerabilities

Barista Botnet

New research from the CATO CTRL team shows that unpatched TP-Link Archer routers are the target of a new botnet campaign called Ballista.

“Botnets will automatically spread across the Internet by leveraging a remote code execution (RCE) vulnerability in TP-Link Archer Routers (CVE-2023-1389),” said security researchers in a technical report shared with Hacker News.

CVE-2023-1389 is a high-strength security flaw affecting TP-link Archer AX-21 routers that can lead to command injection, and could pave the way for remote code execution.

The earliest evidence of the aggressive exploitation of the flaw dates back to April 2023, when an unidentified threat actor uses it to remove the Mirai Botnet malware. Since then, it has been abused to propagate other malware families such as Condi and Androxgh0st.

Cybersecurity

Cato Ctrl said it detected the Ballista campaign on January 10, 2025. The most recent attempts at exploitation were recorded on February 17th.

The attack sequence involves the use of a malware dropper, a shell script (“Dropbpb.sh”) designed to retrieve and execute the main binaries of the target system for various system architectures, such as MIP, Mipsel, ARMV5L, ARMV7L, X86_64.

When executed, the malware establishes an encrypted Command and Control (C2) channel on port 82 to control the device.

“This will allow the running shell commands to carry out additional RCE and denial of service (DOS) attacks,” the researchers said. “In addition, malware attempts to read sensitive files on the local system.”

Barista Botnet

Some of the supported commands are listed below –

Flulder, which triggers flood attack exploits CVE-2023-1389 start. This is an optional parameter used with the exploiter to start a module, stopping the module trigger shell that triggers the function shell that the module executes Linux shell commands on the local system. Killall is used to terminate the service

Additionally, it can terminate previous instances of itself and erase its own existence when execution begins. It is also designed to spread to other routers by attempting to exploit the flaws.

Cybersecurity

Using C2 IP address location (2.237.57[.]70) and the presence of Italian strings in malware binaries suggests the involvement of unknown Italian threat actors, the cybersecurity company said.

That said, considering that IP addresses are no longer working and there are new variants of droppers that use TOR network domains instead of hardcoded IP addresses, it appears that malware is in active development.

A search for the Attack Surface Management Platform revealed that Censys has infected over 6,000 devices in Ballista. Infectious diseases are concentrated in Brazil, Poland, the UK, Bulgaria and Türkiye.

Botnets are known to target manufacturing, healthcare, services, and technology organizations in the United States, Australia, China and Mexico.

“The malware sample shares similarities with other botnets, but it’s different from widely used botnets like Mirai and Mozi,” the researchers said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticlePPDS Hit Sustainability Milestone Epeat Climate+ Gold for PhilipsEcodeSign
Next Article Hong Kong Reclear will prison social workers over their role in the 2019 protest | Political News
user
  • Website

Related Posts

Large Android scam business has been revealed: Iconads, KaleIdoscope, SMS Malware, NFC Scams Identified apps are designed to load out-of-context ads on users’ screens and hide icons from the device’s home screen launcher, making it difficult for victims to remove them according to the company’s Satori Threat Intelligence and Research team. The app was then removed from the Play Store by Google. Advertising fraud schemes accounted for 1.2 billion bid requests per day due to their high activity. The majority of Iconads-related traffic comes from Brazil, Mexico and the United States. Iconads is a variant of the threat tracked by other cybersecurity vendors under the name Hiddedads and Vapor, and since at least 2019, malicious apps have been sliding around the Google Play Store repeatedly. Some of the common features of these apps include the use of obfuscation for concealment…

July 3, 2025

Over 40 Malicious Firefox Extensions Target Cryptocurrency Wallets, Steal User Assets

July 3, 2025

The Hidden Weaknesses in AI SOC Tools that No One Talks About

July 3, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Ilya Sutskever leads the CEO exit and secure close one

The Y Combinator alumni have launched a new $34 million fund dedicated to YC startups.

Trump administrator illegally killed gender-related health websites, court rules

Meta has found another way to engage you: message that message first

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Unlocking the Power of Prediction: The Rise of Digital Twins in the IoT World

TwinH: Digital Human Twin Aims for Victory at Break the Gap 2025

The Digital Twin Revolution: Reshaping Industry 4.0

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.