Home / Threat Intelligence bulletins / Condi malware uses exploited TP-Link AX21 to build DDoS botnet

Target Industry

Indiscriminate, opportunistic attacks


A newly emerged malware, first observed in May 2023, has been seen exploiting the known remote code execution (RCE) vulnerability CVE-2023-1389 discovered in March for the TP-Link Archer AX21 to build a distributed denial-of-service (DDoS) botnet to be sold as a service.

The malware works by initially exploiting the known RCE vulnerability, followed by the deletion of the shutdown and restart scripts within the router to prevent mitigation, as the malware has no other known persistence methods. The malware also employs methods for shutting down older versions of Condi and other botnets that may already be running.


Successful execution of the malware could lead to a user’s network being used by threat actors that purchase use of the service for malicious DDoS attacks as part of a campaign on another user or organisation. The DDoS attacks are also implemented for the purposes of causing disruption to target networks.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against threats such as ‘Condi’. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

TP-Link Archer AX21 router.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Indicators of Compromise

Condi associated file hashes (SHA256):

  • 091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f
  • 291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144
  • 449ad6e25b703b85fb0849a234cbb62770653e6518cf1584a94a52cca31b1190
  • 4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1526fd22ee1d749e5a
  • 509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084
  • 593e75b5809591469dbf57a7f76f93cb256471d89267c3800f855cabefe49315
  • 5e841db73f5faefe97e38c131433689cb2df6f024466081f26c07c4901fdf612
  • cbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f400522f22ab91d2772
  • ccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbdc3f24cd0fb20458cc
  • e7a4aae413d4742d9c0e25066997153b844789a1409fd0aecce8cc6868729a15
  • f7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d64389914f882d67cf

Threat Landscape

This exploitation is one of many publicly available DDoS services that allow even non-technical users to employ powerful DDoS attacks on a particular IP address range to disrupt or completely shut down traffic on a network through overloading of requests. These attacks have been prevalent for an extensive period due to their simplicity of execution and effectiveness.

Threat Group

The threat actor group known as Condi has been providing the DDoS botnet as a service and selling the source code of the malware since May 2022.

Mitre Methodologies

Resource Development

T1583.005 – Botnet

T1588.006 – Vulnerabilities


T1499 – Endpoint Denial of Service

Further Information

Condi DDoS Botnet Spreads via TP-Link’s CVE-2023-1389


Intelligence Terminology Yardstick