Nexcorium Mirai Variant Exploits TBK DVR Flaw to Build IoT DDoS Botnet
Fortinet and other reporting identified Nexcorium, a Mirai-derived malware strain targeting Internet of Things devices, particularly TBK DVR-4104 and DVR-4216 video recorder systems used with security cameras. The campaign exploits CVE-2024-3721, an OS command injection flaw, to run a downloader script that retrieves malware binaries for multiple Linux architectures. Fortinet linked the activity to a suspected actor it calls Nexus Team, citing the custom HTTP header X-Hacked-By: Nexus Team – Exploited By Erratic.
Once installed, Nexcorium uses classic Mirai-style scanner, watchdog, and attack modules, establishes persistence through mechanisms including init, rc.local, systemd, and cron, and spreads further through brute-force Telnet activity, default-password abuse, and exploitation of CVE-2017-17215 in Huawei HG532 devices. The malware performs self-checks, replication, and self-deletion to improve resilience and evasion, then connects to the command-and-control domain r3brqw3d[.]b0ats[.]top to receive instructions for DDoS operations, including UDP, TCP SYN, TCP ACK, SMTP, and VSE query floods.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Akamai identifies tuxnokill botnet exploiting D-Link DIR-823X routers
Akamai documented a new Mirai-related botnet variant called 'tuxnokill' spreading via CVE-2025-29635 in D-Link DIR-823X routers. The campaign also probed TP-Link and ZTE devices through additional known vulnerabilities, showing parallel targeting of multiple IoT platforms.
Unit 42 spots Condi-linked exploitation attempts on TP-Link routers
Palo Alto Networks Unit 42 reported automated, but flawed, attempts to exploit CVE-2023-33538 in unsupported TP-Link Wi-Fi routers to deploy Mirai-like malware containing references to 'Condi.' The activity highlighted continued targeting of end-of-life IoT devices alongside the Nexcorium campaign.
Fortinet publishes detections and blocking coverage for Nexcorium campaign
Fortinet disclosed that its antivirus, web filtering, IPS, and anti-botnet services detect the malware, block its command-and-control infrastructure, and identify exploitation attempts against CVE-2024-3721. This marked the public defensive response accompanying disclosure of the campaign.
Researchers identify Nexcorium C2 and DDoS botnet functionality
Analysis showed Nexcorium establishing persistence through init, rc.local, systemd, and cron, then connecting to the command-and-control domain r3brqw3d.b0ats.top. The malware was found to support multiple DDoS flood methods, including UDP, TCP SYN, TCP ACK, SMTP, and VSE query floods.
FortiGuard attributes Nexcorium activity to suspected 'Nexus Team'
FortiGuard Labs linked the campaign to a suspected threat actor it calls 'Nexus Team,' citing the custom HTTP header 'X-Hacked-By: Nexus Team – Exploited By Erratic' seen in the activity. The attribution connected the Mirai-variant botnet operations to a named actor cluster.
Nexcorium expands via Telnet brute force and Huawei HG532 exploitation
The Nexcorium botnet was observed propagating beyond the initial DVR compromise by using brute-force Telnet attacks and exploiting CVE-2017-17215 in Huawei HG532 devices. This showed the campaign was designed to spread across multiple IoT device types and architectures.
Attackers exploit CVE-2024-3721 in TBK DVR devices to deploy Nexcorium
A campaign began abusing CVE-2024-3721, an OS command injection flaw in TBK DVR-4104 and DVR-4216 devices, to execute a downloader script and install a multi-architecture Mirai variant later identified as Nexcorium. The malware targeted vulnerable IoT video recording devices as an initial foothold for botnet growth.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security
helpnetsecurity.com
Open sourceHackers Use CVE-2024-3721 to Infect TBK DVRs With Nexcorium DDoS Malware
cybersecuritynews.com
Open sourceTracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | Community Portal | Gurucul
community.gurucul.com
Open sourceNexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks
securityaffairs.com
Open sourceNew Nexcorium-Associated Mirai Variant Uses TBK DVR Exploit to Scale Botnet Operations
cybersecuritynews.com
Open sourceMirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
thehackernews.com
Open sourceNexcorium malware targets IoT devices, leverages Mirai variant for DDoS attacks | brief | SC Media
scworld.com
Open sourceTracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs
fortinet.com
Open sourceTracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs
feeds.fortinet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026
Broadside Mirai Botnet Targets TBK DVRs in Maritime Logistics
A new Mirai botnet variant known as **Broadside** has been identified targeting vulnerable *TBK Vision* digital video recorders (DVRs) used extensively in the maritime logistics sector. Researchers from Cydome discovered that Broadside exploits the command injection vulnerability `CVE-2024-3721` in TBK DVR-4104 and DVR-4216 devices, allowing attackers to hijack these systems. The botnet employs advanced techniques such as a custom C2 protocol, a unique Magic Header, and a process-killer module to maintain persistence and evade detection. In addition to supporting UDP-based DDoS attacks, Broadside is capable of stealing sensitive files like `/etc/passwd` and `/etc/shadow`, enabling privilege escalation and lateral movement within compromised networks. The maritime sector is particularly vulnerable due to widespread use of legacy, unpatched systems and a general lack of onboard cybersecurity personnel or monitoring. The Broadside campaign has been active for months, with fluctuating activity observed by researchers. Attackers leverage a mass loader to execute multi-architecture payloads in memory and wipe traces, making detection and remediation challenging. The ongoing exploitation of `CVE-2024-3721` by Broadside and other botnets highlights the urgent need for improved security practices and patch management in maritime environments to prevent further compromise and disruption.
Mar 21, 2026
Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new **Mirai** campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances. The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (**DDoS**) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
May 25, 2026