Cybersecurity experts have uncovered a new variant of the notorious Mirai botnet, identified as Nexcorium, exploiting vulnerabilities in TBK DVR devices. This revelation comes from research conducted by Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack leverages a security flaw, CVE-2024-3721, within TBK DVR-4104 and DVR-4216 devices to infiltrate systems and deploy the malware.
Exploitation of IoT Vulnerabilities
IoT devices are increasingly targeted due to their widespread deployment and often lax security measures. According to security researcher Vincent Li, these devices are vulnerable to large-scale attacks, primarily due to insufficient patching and weak security configurations. Threat actors exploit known vulnerabilities to gain initial access, allowing them to deploy malware for persistent and widespread distributed denial-of-service (DDoS) attacks.
This vulnerability has been previously exploited to deploy Mirai variants and the RondoDox botnet. In September 2025, CloudSEK reported a loader-as-a-service botnet distributing various malware, including RondoDox and Mirai, through weak credentials in routers and IoT devices.
Nexcorium’s Advanced Features
The attack method involves exploiting CVE-2024-3721 to execute a downloader script, which then initiates the botnet payload on the targeted system’s architecture. Upon execution, the malware displays a takeover message from ‘nexuscorp.’ The Nexcorium variant features a structure similar to Mirai, with modules for configuration table initialization, DDoS attacks, and a watchdog.
Furthermore, the malware exploits CVE-2017-17215 to target Huawei HG532 devices, using hard-coded credentials for brute-force attacks over Telnet. Successful logins allow the malware to establish persistence via crontab and systemd, connecting to external servers for DDoS command execution. To avoid detection, it removes the original binary post-installation.
Continued Threats to Network Security
Unit 42 has also identified automated scans attempting to exploit another vulnerability, CVE-2023-33538, in outdated TP-Link routers. Although these attempts are flawed, they highlight the ongoing threat posed by legacy devices. This vulnerability, added to CISA’s Known Exploited Vulnerabilities catalog, affects several TP-Link models.
The compromised routers are susceptible to a Mirai-like botnet, with code referencing ‘Condi’ and capabilities to self-update and act as a web server for spreading infections. Given the end-of-life status of these routers, users are advised to upgrade to newer models and change default credentials.
Security researchers emphasize that the persistent risk of default credentials in IoT devices will continue to influence the cybersecurity landscape. This vulnerability can transform an otherwise minor flaw into a critical security breach.
