The Cato Networks threat intelligence team has published new threat research on Ballista, a new global IoT botnet infecting TP-Link Archer routers through a remote code execution vulnerability (CVE-2023-1389).

The Ballista botnet has targeted manufacturing, medical/healthcare, services, and technology organisations in the USA, Australia, China, and Mexico. Using a Censys search, Cato CTRL has identified more than 6,000 vulnerable devices connected to the Internet.

Cato CTRL believes the Ballista botnet is still active and evolving, shifting to Tor-based infrastructure to evade detection. Cato CTRL believes this has possibly been prompted by its investigation into the botnet campaign.

According to reports, US Government agencies have considered banning TP-Link devices due to security concerns linked to China.

Cato CTRL assesses, with “moderate confidence”, that the campaign is linked to an Italian-based threat actor, based on the IP address location (2.237.57.]70) and supported by Italian strings found within the malware binaries.

Since the start of 2025, Cato CTRL has been collecting data on exploitation attempts of IoT devices and malware deployed through these attempts. During its analysis, an unreported global IoT botnet campaign targeting TP-Link Archer routers has emerged. The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet.

Cato CTRL first identified this campaign on January 10. Over the course of a few weeks, several initial-access attempts were detected, with the most recent attempt taking place on February 17. The Initial payload includes a malware dropper (specifically, a bash script) that downloads the malware. During its analysis, Cato observed the botnet evolving by switching to the use of Tor domains to become stealthier—possibly prompted by Cato CTRL’s investigation into this campaign.

Once executed, the malware sets up a TLS encrypted command and control (C2) channel on port 82, which is used to fully control the compromised device. This allows running shell commands to conduct further RCE and denial of service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system.

Cato CTRL assesses with moderate confidence that this campaign is linked to an Italian-based threat actor, based on the IP address location (2.237.57.]70) and supported by Italian strings found within the malware binaries. Due to the Italian links, and the targeted TP-Link Archer routers, Cato has named the botnet “Ballista” as a reference to the ancient Roman weapon.