Dubbed "Ballista," this nasty piece of work has already infected over 6,000 devices by exploiting a high-severity security flaw in the TP-Link Archer AX-21 router. The vulnerability, known as CVE-2023-1389, allows remote code execution (RCE) and has been around since at least April 2023. It previously fuelled the Mirai, Condi, and AndroxGh0st malware attacks.

Cato CTRL researchers first spotted Ballista up to no good on January 10, 2025, with its latest strike recorded on February 17. The infection map reads like a travel brochure, with hotspots in Brazil, Poland, the UK, Bulgaria, and Turkey.

Its real targets seem to be the US, Australia, China, and Mexico, where it will target manufacturing, healthcare, and tech organisations.

The attack follows a simple plan: a malware dropper initiates the attack, and then a shell script downloads the primary payload to match the router’s system architecture.

Once inside, Ballista establishes a command-and-control (C2) channel on port 82, handing over the keys to the hackers. From there, it can run remote shell commands, launch denial-of-service (DoS) attacks, and rifle through sensitive files like a nosy neighbour.

The malware’s arsenal includes commands like "flooder" (to unleash a flood attack), "exploiter" (to weaponise CVE-2023-1389), and "killall" (which, as the name suggests, terminates processes). And just to be extra sneaky, Ballista can erase its tracks and even wipe out previous versions of itself before spreading further.

Security experts suspect an Italian connection due to the malware’s initial IP address and language patterns. However, the botnet’s handlers have already switched to using TOR network domains, meaning the malware is still evolving and will not go anywhere soon.

 If you’ve got a TP-Link router that’s still unpatched, you might want to sort that out—before you find yourself unwittingly contributing to a cybercrime wave.