While cybersecurity experts typically focus on Russian and North Korean hackers, a new threat has emerged from an unexpected source: Italy. Cato Networks recently detected a botnet dubbed “Ballista” in January 2025, targeting TP-Link Archer routers through a vulnerability known as CVE-2023-1389. The Italian connection isn’t subtle – researchers found Italian language strings embedded in the malware binaries. Subtle as a brick through a window.
The botnet has already compromised over 6,000 devices worldwide. Not exactly small potatoes. Its operators have shown increasing sophistication, shifting their command and control infrastructure from hard-coded IP addresses to Tor domains. Because nothing says “we’re getting serious” like moving to the dark web.
Ballista’s infection method is straightforward yet effective. It exploits the CVE-2023-1389 vulnerability using a bash script dropper, which then downloads and executes the main malware. The malware establishes an encrypted communication channel on port 82. This vulnerability was first exposed during the Pwn2Own hacker competition in late 2022. Pretty standard stuff, but it works.
Hackers keeping it simple: find vulnerability, drop script, establish backdoor. Why complicate what already works?
What makes this botnet concerning isn’t just its size but its capabilities. Ballista can execute arbitrary commands, read sensitive files, conduct remote code execution, and launch denial-of-service attacks. It even kills previous versions of itself – talk about ruthless efficiency. A systematic risk assessment process could have identified this vulnerability before exploitation, highlighting the importance of proactive security measures.
The attack has hit several sectors hard. Manufacturing, healthcare, services, and tech companies in the US, Australia, China, and Mexico have all fallen victim. Brazil, Poland, the UK, Bulgaria, and Turkey have been particularly affected by this malicious campaign. Not exactly discriminating in its targets.
Organizations can protect themselves by patching vulnerable routers, implementing better IoT security measures, and monitoring for suspicious network activity. But let’s be real – most people don’t even change their default router passwords.
What’s clear is that threat actors are no longer limited to the usual suspect countries. Italy has entered the chat, and they’re not here to share pizza recipes. This development signals a concerning trend: the democratization of sophisticated cyber attacks. Great. Just what we needed.
