Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium.
“IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings,” security researcher Vincent Li said. “Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.”
This is not the first time the vulnerability has been exploited in the wild. Over the past year, the security issue has been leveraged to deploy a Mirai variant as well as a distinct, relatively new botnet called RondoDox. In September 2025, CloudSEK also disclosed details of a large-scale loader-as-a-service botnet that has been distributing RondoDox, Mirai, and Morte payloads through weak credentials and old flaws in routers, IoT devices, and enterprise apps.
The attack activity outlined by Fortinet involves the exploitation of CVE-2024-3721 to obtain and drop a downloader script, which then launches the botnet payload based on the Linux system’s architecture. Once the malware is executed, it displays a message stating “nexuscorp has taken control.”
“Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module,” the security vendor said.
The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices in the network and incorporates a list of hard-coded usernames and passwords for use in brute-force attacks targeting the victim’s hosts by opening a Telnet connection.
If the Telnet login is successful, it attempts to obtain a shell, set up persistence using crontab and systemd service, and connect to an external server to await commands for launching DDoS attacks over UDP, TCP, and SMTP. Once persistence is established on the device, the malware deletes the original downloaded binary to evade analysis.
“The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems,” Fortinet said. “Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.”
The development comes as Unit 42 said it detected active, automated scans and probes…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
