Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Palo Alto Networks Patches Critical PAN-OS Vulnerability CVE-2024-3400 for RCE
July 9, 2026
Accenture Confirms Data Breach, Stolen Source Code
July 9, 2026
AI Tools Claude, Cursor, and Codex Trigger Endpoint Security Rules
July 9, 2026
Home/Threats/Critical TBK DVR vulnerability CVE-2024-3721 lets attackers install Nexcorium DDoS malware
Threats

Critical TBK DVR vulnerability CVE-2024-3721 lets attackers install Nexcorium DDoS malware

Key Takeaways A new botnet, Nexcorium, is actively exploiting a critical vulnerability (CVE-2024-3721) in TBK DVRs. The flaw allows unauthenticated remote code execution, turning vulnerable TBK...

Emy Elsamnoudy
Emy Elsamnoudy
April 20, 2026 4 Min Read
33 0

Key Takeaways

  • A new botnet, Nexcorium, is actively exploiting a critical vulnerability (CVE-2024-3721) in TBK DVRs.
  • The flaw allows unauthenticated remote code execution, turning vulnerable TBK DVR-4104 and DVR-4216 models into DDoS weapons.
  • Nexcorium, a Mirai variant, also targets end-of-life TP-Link routers (CVE-2017-17215) to expand its botnet.
  • No patch is available for the affected TBK DVRs, which are considered end-of-life, necessitating immediate replacement.

Nexcorium Botnet Exploits Critical Flaw in End-of-Life TBK DVRs

A sophisticated new botnet campaign is leveraging a critical vulnerability in TBK digital video recorders (DVRs) to deploy Nexcorium, a potent Mirai-based malware designed for large-scale distributed denial-of-service (DDoS) attacks. This operation actively targets vulnerable devices, transforming them into nodes within a rapidly expanding attack infrastructure.

Table Of Content

  • Key Takeaways
  • Nexcorium Botnet Exploits Critical Flaw in End-of-Life TBK DVRs
  • Exploitation and Malware Deployment
  • Expanding the Botnet: Dual-Target Strategy
  • How Nexcorium Establishes Persistence and Evades Removal
  • What You Should Do

The central vulnerability, identified as CVE-2024-3721, carries a CVSS score of 6.3. It specifically impacts TBK DVR-4104 and DVR-4216 models, which are particularly susceptible due to their outdated firmware and prevalent use of weak default credentials. These devices are frequently deployed in environments such as small businesses, retail stores, and surveillance systems, where security updates are often neglected.

Exploitation and Malware Deployment

Attackers exploit exposed TBK DVRs by sending a specially crafted HTTP request to the /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ endpoint. This request enables operating system command injection without requiring any authentication, granting the attacker immediate remote code execution capabilities on the device. Once compromised, the DVR is co-opted into the botnet, becoming an unwitting participant in coordinated DDoS operations.

Researchers at Fortinet’s FortiGuard Labs meticulously analyzed this campaign, detailing the full infection chain from initial exploitation to payload delivery and persistence. Their findings confirm that Nexcorium shares fundamental architectural elements with the original Mirai botnet, including an XOR-encoded configuration table, a robust watchdog module to ensure continuous operation, and a dedicated DDoS attack module.

Upon successful execution, the malware displays the message “nexuscorp has taken control,” a deliberate signature embedded by the threat actors to assert their presence on the infected system, according to Fortinet.

Expanding the Botnet: Dual-Target Strategy

The Nexcorium campaign extends beyond just TBK DVRs. Researchers have also observed it targeting end-of-life TP-Link Wi-Fi routers by exploiting CVE-2017-17215. This dual-target approach highlights a strategic effort to build a diverse and geographically distributed botnet by compromising hardware that is unlikely to receive security patches or be replaced by users.

The combined reach of these device types creates a formidable attack infrastructure capable of generating massive traffic floods against online services, businesses, and critical infrastructure. Since these compromised devices typically operate continuously and possess legitimate IP addresses, the resulting botnet traffic often evades conventional filtering systems, making Nexcorium-driven attacks particularly challenging to mitigate.

How Nexcorium Establishes Persistence and Evades Removal

Once Nexcorium infiltrates a TBK DVR, it executes a carefully orchestrated infection sequence designed to maintain its presence even through reboots or attempts at manual removal. The initial exploitation of CVE-2024-3721 triggers the download of a script that identifies the underlying Linux system’s processor architecture. This allows the malware to retrieve the correct compiled binary variant, ensuring compatibility across a wide array of IoT hardware.

After deployment, Nexcorium employs multiple persistence mechanisms to survive reboots and termination attempts. Fortinet researchers noted that the malware establishes a command-and-control (C2) communication channel, enabling operators to issue DDoS commands, monitor victim status, and push additional instructions. A watchdog process further reinforces persistence by continuously monitoring the main payload, automatically restarting it if its execution is interrupted.

A notable self-protection feature identified by Fortinet is Nexcorium’s use of FNV-1a hashing algorithms to verify its own binary integrity. If the file on disk is corrupted or altered, the malware dynamically copies itself to a new filename, restoring its presence. Furthermore, Nexcorium actively propagates by launching aggressive Telnet-based brute-force attacks against other devices on the same network and beyond, utilizing a hardcoded list of common default credentials.

What You Should Do

  • Replace End-of-Life Devices: Immediately replace TBK DVR-4104 and DVR-4216 devices. The vendor has not issued a patch for CVE-2024-3721, rendering these models permanently vulnerable.
  • Update or Replace Routers: Retire and replace any TP-Link routers running outdated firmware susceptible to CVE-2017-17215. Ensure all network hardware is updated to supported versions with the latest security patches.
  • Strengthen Credentials: Implement strong, unique passwords for all internet-facing IoT devices. Avoid using factory default credentials, which Nexcorium’s brute-force module actively targets.
  • Network Segmentation: Isolate DVRs and other surveillance hardware from critical internal systems through network segmentation. This limits potential damage if a device is compromised.
  • Disable Remote Access: Where external connectivity is not strictly necessary, disable remote access to DVR management interfaces to reduce the attack surface.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerMalwarePatchSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Flowise Critical RCE Vulnerability CVE-2024-5264 in MCP Adapters

Next Post

NIST NVD Overhaul: Risk-Based Prioritization Addresses 263% CVE Surge

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
July 8, 2026
Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers
July 8, 2026
Fake Indian Tax Notices Deliver Dual RAT Malware
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us