broadside

Also known asBroadside

Broadside is a Mirai botnet variant identified by Cydome Research Team as active in the wild and targeting the maritime logistics sector. The campaign exploits CVE-2024-3721, a critical remote command injection flaw in TBK DVR-4104 and DVR-4216 digital video recording devices via the /device.rsp HTTP POST endpoint. According to the provided content, the activity has been ongoing for several months and was discovered while monitoring marine assets. Broadside establishes persistence using Netlink-based process monitoring, which the content describes as a divergence from standard Mirai through the use of Netlink kernel sockets for stealthy, event-driven process monitoring. It also attempts to harvest system credential files to support privilege escalation and lateral movement. The botnet dynamically terminates and blacklists competing processes on infected devices, uses high-rate UDP flooding with payload polymorphism to evade static defenses, and communicates with command-and-control infrastructure using a custom protocol over TCP/1026 with fallback on TCP/6969. The content states that Broadside particularly threatens maritime operators because of legacy and unpatched systems, limited onboard cybersecurity personnel, and weak security monitoring, allowing infections to persist undetected for months. Its activity can exhaust expensive satellite bandwidth and disrupt vessel operations. No additional aliases or sub-groups are provided in the content beyond the name Broadside.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

maritime

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

securityaffairsNews

Dec 14, 2025

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 75

Broadside is a new Mirai botnet variant active in the wild, likely used for large-scale DDoS attacks.

dark readingNews

Dec 8, 2025

‘Broadside’ Mirai Variant Targets Maritime Logistics Sector

Broadside is a Mirai botnet variant targeting the maritime logistics sector by exploiting a critical vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 devices. It uses command injection to hijack devices, achieve persistence, move laterally, and conduct high-rate UDP flooding attacks. The campaign is active and leverages advanced techniques for stealth and evasion.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.