Newly-emergent Ballista botnet has compromised more than 6,000 TP-Link Archer AX-21 routers impacted by the high-severity remote code execution flaw, tracked as CVE-2023-1389, as part of an attack campaign initially detected in January, The Hacker News reports.
Manufacturing, technology, and healthcare organizations in the U.S., Mexico, China, and Australia have been targeted by the intrusions, which involved a malware loader deploying the primary binary that facilitates encrypted command-and-control and the execution of commands allowing flood attacks, Linux shell command injection, and service termination, according to Cato Networks' CTRL Threat Research team.
Such a botnet is believed to have been operated by an Italy-based threat actor based on its IP address and malware binaries' presence of Italian strings, said researchers, who noted an ongoing development of the malicious payload. "While this malware sample shares similarities with other botnets, it remains distinct from widely used botnets such as Mirai and Mozi," researchers added.
