Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
UNC6692 Hackers Deploy SNOW Malware via Microsoft Teams Helpdesk Impersonation
July 9, 2026
Bridging Threat Intelligence to SOC Action: A Guide for Security Teams
July 9, 2026
Foxit PDF Reader & Editor Patches 20 Critical RCE Flaws
July 9, 2026
Home/CyberSecurity News/Mirai Variant Exploits TBK DVR Vulnerability to Expand Botnet
CyberSecurity News

Mirai Variant Exploits TBK DVR Vulnerability to Expand Botnet

Key Takeaways A new Mirai variant, dubbed Nexcorium, is actively exploiting a critical command injection vulnerability in TBK DVR devices. The vulnerability, identified as CVE-2024-3721, affects TBK...

Marcus Rodriguez
Marcus Rodriguez
April 18, 2026 3 Min Read
39 0

Key Takeaways

  • A new Mirai variant, dubbed Nexcorium, is actively exploiting a critical command injection vulnerability in TBK DVR devices.
  • The vulnerability, identified as CVE-2024-3721, affects TBK DVR-4104 and DVR-4216 models, allowing attackers to gain control and integrate them into a DDoS botnet.
  • Attributed to the “Nexus Team,” the malware uses a sophisticated modular architecture, brute-forcing, and multiple persistence mechanisms to maintain control over compromised IoT devices.
  • The primary goal of Nexcorium is to launch various types of Distributed Denial-of-Service (DDoS) attacks.
  • Organizations must patch CVE-2024-3721 immediately, change default credentials, and implement network segmentation to protect vulnerable IoT endpoints.

A sophisticated new variant of the Mirai botnet, named Nexcorium, is aggressively targeting internet-connected digital video recorders (DVRs), according to recent findings from Fortinet’s FortiGuard Labs. Threat actors are leveraging a known command injection vulnerability to hijack TBK DVR systems, effectively conscripting them into a large-scale Distributed Denial-of-Service (DDoS) botnet.

Table Of Content

  • Key Takeaways
  • Technical Capabilities and Infection Mechanisms
  • Modular Architecture and Propagation
  • Persistence Mechanisms
  • DDoS Capabilities
  • What You Should Do

Fortinet researchers have pinpointed the campaign’s focus on TBK DVR-4104 and DVR-4216 models. The core of the attack exploits CVE-2024-3721, an OS command injection flaw. This vulnerability enables attackers to inject and execute a downloader script by manipulating specific arguments within the device’s system.

During the exploitation phase, network traffic reveals a distinctive custom HTTP header: “X-Hacked-By: Nexus Team – Exploited By Erratic.” This unique identifier has led FortiGuard Labs to attribute the campaign to a relatively unknown group, now identified as the “Nexus Team.”

Upon successful execution, the downloader script retrieves multi-architecture payloads compatible with ARM, MIPS, and x86-64 environments. A console message, “nexuscorp has taken control,” then appears, confirming the compromise.

Technical Capabilities and Infection Mechanisms

Fortinet’s in-depth analysis indicates that Nexcorium shares fundamental architectural elements with previous Mirai variants, including the use of XOR-encoded configurations and a modular design. The malware’s operational strategy relies on several key mechanisms:

Modular Architecture and Propagation

  • Modular Design: Nexcorium incorporates standard Mirai features, such as a watchdog module to manage sub-processes, a scanner for network propagation, and an attacker module designed for DDoS execution.
  • Legacy Exploit Integration: To broaden its infection scope, Nexcorium also integrates the older CVE-2017-17215 vulnerability, known to affect Huawei router devices.
  • Aggressive Brute-Forcing: The malware initiates Telnet-based brute-force attacks against other networked hardware, utilizing a hardcoded list of common and default credentials.
  • Self-Preservation: Nexcorium employs FNV-1a hashing algorithms to verify its integrity. If the binary is found to be altered or unreadable, it dynamically duplicates itself under a new filename to evade detection and maintain operation.

Persistence Mechanisms

To ensure long-term access to compromised systems, Nexcorium establishes persistence through four distinct mechanisms, avoiding reliance on a single point of failure. The botnet secures its foothold by:

  • Modifying /etc/inittab to ensure the malware process automatically restarts if terminated.
  • Updating /etc/rc.local to guarantee execution during the device’s system startup sequence.
  • Creating a dedicated systemd service, named persist.service, for persistent background operation.
  • Planting scheduled tasks via crontab for reliable execution following a device reboot.

After establishing this comprehensive setup, Fortinet observed that Nexcorium deletes its original binary from the execution path, a tactic designed to hinder forensic analysis by security professionals.

DDoS Capabilities

The primary objective of the Nexus Team’s campaign is to launch devastating DDoS attacks. Based on FortiGuard Labs’ decryption of the malware’s configuration table, Nexcorium communicates with a centralized command-and-control (C2) server to receive attack directives.

The botnet is equipped with a versatile arsenal of flood techniques, indicating a broad attack scope. These include standard UDP, TCP ACK, TCP SYN, SMTP, and TCP PSH floods, alongside specialized attack vectors such as VSE query floods and UDP blast attacks.

The emergence of Nexcorium underscores the ongoing risk posed by the weaponization of legacy IoT devices. Security experts strongly advise organizations to take immediate action.

What You Should Do

  • Patch Immediately: Apply available patches for CVE-2024-3721 on all affected TBK DVR-4104 and DVR-4216 models.
  • Change Default Credentials: Replace all default manufacturer credentials with strong, unique passwords for all IoT devices.
  • Implement Network Segmentation: Isolate critical infrastructure from vulnerable IoT endpoints using network segmentation to limit potential lateral movement by attackers.
  • Monitor Network Traffic: Implement robust network monitoring to detect unusual activity or outbound connections from IoT devices.
  • Disable Unnecessary Services: Turn off any unneeded ports or services on IoT devices to reduce the attack surface.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwarePatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical FortiSandbox RCE Vulnerability CVE-2023-34981 Gets Public Exploit

Next Post

Fiverr Exposes User Data to Google Indexing

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Meta’s Muse AI Tool Exposes Instagram User Photos to the Public
July 9, 2026
HalluSquatting Attack Poisons AI Coding Assistants to Install Botnet Malware
July 9, 2026
QR Code Phishing Attacks Steal Credentials and Deliver Malware
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us