Cato CTRL (the Cato Networks threat intelligence team) has published threat research on Ballista, a global IoT botnet infecting TP-Link Archer routers through a remote code execution vulnerability.

The Ballista botnet has targeted manufacturing, medical, healthcare, services and technology organisations in the USA, Australia, China and Mexico. Using a Censys search, Cato CTRL identified more than 6000 vulnerable devices connected to the internet.

Cato CTRL believes the Ballista botnet is still active and evolving, shifting to Tor-based infrastructure to evade detection, possibly prompted by Cato CTRL’s investigation into the campaign.

According to reports, US government agencies have considered banning TP-Link devices due to security concerns linked to China.

Cato CTRL assesses with moderate confidence that the campaign is linked to an Italian-based threat actor, based on the IP address location (2.237.57[.]70) and supported by Italian strings found within the malware binaries.

Since the start of 2025, Cato CTRL has been collecting data on exploitation attempts of IoT devices and malware deployed. During its analysis, an unreported global IoT botnet campaign targeting TP-Link Archer routers emerged. The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers to spread itself automatically over the internet.

TP-Link products have made headlines recently, as the Wall Street Journal reported (www.wsj.com/politics/national-security/us-ban-china-router-tp-link-systems-7d7507e6) in December 2024 that US government agencies have considered banning TP-Link devices due to security concerns linked to China.

Cato CTRL first identified this campaign in January. Over a few weeks, several initial-access attempts were detected, with the most recent attempt taking place on February 17. The initial payload includes a malware dropper that downloads the malware. During the analysis, it observed the botnet evolving by switching to the use of Tor domains to become stealthier.

Once executed, the malware sets up a TLS encrypted command and control channel on port 82, which is used to control the compromised device. This allows running shell commands to conduct further RCE and denial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.

For more on the research, visit www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers.