Stonking New Cyberthreat: The Condi Malware DDoS Botnet on TP-Link AX21 Routers

As we dive into the world of cybersecurity, one recent stonking development has been the emergence of the Condi malware. This malicious software has targeted the popular TP-Link Archer AX21 routers, used widely across homes, small offices, cafes, and shops. The Condi malware exploits a high-severity vulnerability in these routers (CVE-2023-1389) to build an impressive DDoS-as-a-Service botnet, hence causing substantial disruptions in network services.

The Condi botnet is not the first to exploit this vulnerability. The Mirai botnet took advantage of this flaw before Condi, resulting in significant cyberattacks. In a stonking twist, Condi features an innovative mechanism to deal with these overlaps. It can neutralize processes belonging to known competitor botnets, ensuring its dominance and preserving its ability to exploit the targeted routers.

This malware stands out for its unusually aggressive monetization method. The threat actors behind Condi sell the malware’s source code, thereby inviting a multitude of project forks with varying features. This widespread availability of the source code has likely led to the observed experimentation with the malware. Some Condi samples use different flaws to propagate, while others are observed to use a shell script with an Android Debug Bridge (ADB) source, indicating the potential for the botnet to spread through devices with an open ADB port (TCP/5555).

The Condi malware has sophisticated methods for propagation. It scans for public IPs with open ports 80 or 8080 and sends an exploitation request to download and execute a remote shell script that infects the new device. Furthermore, it does not feature a persistence mechanism to survive device reboots. Instead, it is equipped with a wiper for specific files, which prevents the devices from being shut down or restarted.

Regarding its DDoS attack capabilities, the Condi malware exhibits a range of TCP and UDP flood methods similar to those of Mirai. While older samples also contain HTTP attack methods, these seem to have been removed in the latest version.

Owners of the Archer AX21 AX1800 dual-band Wi-Fi 6 router need to be vigilant for signs of an infected device. These signs include device overheating, network disruptions, inexplicable changes in the device’s network settings, and admin user password resets. The latest firmware update that addresses CVE-2023-1389 can be obtained from TP-Link’s downloads center.

In conclusion, the emergence of the Condi malware underscores the importance of staying updated on the latest cybersecurity threats and ensuring that our devices are patched with the latest security updates. As our dependency on digital services continues to grow, so does the significance of maintaining robust cybersecurity practices.


  1. “New Condi malware builds DDoS botnet out of TP-Link AX21 routers” – BleepingComputer
  2. “TP-Link routers targeted by Mirai botnet once again, US government warns” – TechRadar
  3. “Dangerous Condi botnet targets routers with DDoS attacks” – Cybersecurity Insiders