Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
A new botnet campaign is exploiting a high-severity security flaw in unpatched TP-Link routers and has already spread to more than 6,000 devices.
According to a new report from the Cato CTRL team, the Ballista botnet exploits a remote code execution vulnerability that directly impacts the TP-Link Archer AX-21 router.
Ballista’s most recent exploitation attempt was February 17, 2025 and Cato CTRL first detected it on January 10, 2025.
How does Ballista attack
The attack sequence is as follows: it starts with a malware dropper, then a shell script designed to fetch and execute the main binary on the target system for various system architectures. When executed, the malware establishes a command-and-control (C2) channel on port 82 to take control of the device.
This allows the malware to run shell commands to conduct further remote code execution and Denial of Service (DoS) attacks; it will also attempt to read sensitive files on the system.
Supported commands include flooder (triggers a flood attack), exploiter (which exploits CVE-2023-1389), start (an optional parameter used with the exploiter to start the module), close (stops the module triggering function), shell (runs a Linux shell command on the local system) and killall (used to terminate the service).
The Ballista malware is additionally capable of terminating previous instances of itself – and erasing its own presence once execution begins. It’s designed to spread to other routers by attempting to exploit the flaw.
Since both the IP address and language used have an Italian base, the cybersecurity researchers have suggested that the threat actor is of an unknown Italian origin. However, the initial IP address used is no longer functional having been replaced by a new variant utilizing TOR network domains. This all indicates that the malware is under active development.
How to patch your TP-Link router
Since updating your router is every bit as important as updating the apps and operating system on your phone, you should make sure to install the recommended patch for your TP-Link Archer AX-21 router immediately. Regularly patching your router and making sure the firmware is up-to-date will keep your device as secure as possible which is important as routers are often one of the most frequently hacked technologies in the home.
You can see all the details about the firmware download on the TP-Link page which provides full details about how to upgrade including an FAQ and a setup video.
More from Tom's Guide
- Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
- Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
- Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
