Broadside Mirai Botnet Targets TBK DVRs in Maritime Logistics
A new Mirai botnet variant known as Broadside has been identified targeting vulnerable TBK Vision digital video recorders (DVRs) used extensively in the maritime logistics sector. Researchers from Cydome discovered that Broadside exploits the command injection vulnerability CVE-2024-3721 in TBK DVR-4104 and DVR-4216 devices, allowing attackers to hijack these systems. The botnet employs advanced techniques such as a custom C2 protocol, a unique Magic Header, and a process-killer module to maintain persistence and evade detection. In addition to supporting UDP-based DDoS attacks, Broadside is capable of stealing sensitive files like /etc/passwd and /etc/shadow, enabling privilege escalation and lateral movement within compromised networks.
The maritime sector is particularly vulnerable due to widespread use of legacy, unpatched systems and a general lack of onboard cybersecurity personnel or monitoring. The Broadside campaign has been active for months, with fluctuating activity observed by researchers. Attackers leverage a mass loader to execute multi-architecture payloads in memory and wipe traces, making detection and remediation challenging. The ongoing exploitation of CVE-2024-3721 by Broadside and other botnets highlights the urgent need for improved security practices and patch management in maritime environments to prevent further compromise and disruption.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers warn of large exposed attack surface for vulnerable DVRs
Reporting on the Broadside activity highlighted that more than 50,000 internet-exposed DVR devices could be targeted through CVE-2024-3721. The warning underscored the scale of potential risk to maritime and other organizations using the affected hardware.
Cydome publishes Broadside findings and indicators of compromise
Researchers at Cydome disclosed the Broadside campaign and released indicators of compromise to help maritime operators detect and mitigate infections. They warned that legacy and unpatched systems in maritime environments make the sector especially vulnerable and recommended patching, network segregation, and updated monitoring.
Broadside campaign targets maritime logistics sector
A Mirai-based botnet variant dubbed Broadside was identified actively targeting maritime logistics organizations through compromised TBK DVR devices. The malware used custom TCP command-and-control, payload polymorphism, process-killing and Netlink-based persistence, and credential theft to support DDoS activity, lateral movement, and potential disruption of vessel operations.
Mirai variants begin exploiting TBK DVR flaw in the wild
Attackers began exploiting CVE-2024-3721 to infect vulnerable TBK DVR devices, with reports indicating the activity had been ongoing for months. Kaspersky also observed a separate Mirai variant abusing the same flaw, with infections concentrated in countries including China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
CVE-2024-3721 disclosed in TBK Vision DVR devices
A command injection vulnerability, tracked as CVE-2024-3721, was identified in TBK DVR-4104 and DVR-4216 devices, including some rebranded models such as CeNova, Night Owl, and QSee. The flaw created an avenue for remote compromise of internet-exposed DVR systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Nexcorium Mirai Variant Exploits TBK DVR Flaw to Build IoT DDoS Botnet
Fortinet and other reporting identified **Nexcorium**, a Mirai-derived malware strain targeting Internet of Things devices, particularly **TBK DVR-4104** and **DVR-4216** video recorder systems used with security cameras. The campaign exploits **`CVE-2024-3721`**, an OS command injection flaw, to run a downloader script that retrieves malware binaries for multiple Linux architectures. Fortinet linked the activity to a suspected actor it calls **Nexus Team**, citing the custom HTTP header `X-Hacked-By: Nexus Team – Exploited By Erratic.` Once installed, Nexcorium uses classic Mirai-style scanner, watchdog, and attack modules, establishes persistence through mechanisms including init, `rc.local`, systemd, and cron, and spreads further through brute-force Telnet activity, default-password abuse, and exploitation of **`CVE-2017-17215`** in Huawei HG532 devices. The malware performs self-checks, replication, and self-deletion to improve resilience and evasion, then connects to the command-and-control domain `r3brqw3d[.]b0ats[.]top` to receive instructions for **DDoS** operations, including UDP, TCP SYN, TCP ACK, SMTP, and VSE query floods.
Apr 22, 2026
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026
ShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named **ShadowV2** was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (`binary.sh`) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions. The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as `CVE-2024-10914` and `CVE-2024-10915`, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
Mar 21, 2026