Ethical Hacking News
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet, Furthering the Threat Landscape of IoT Security
Threat actors have exploited security flaws in TBK DVR and EoL TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices. The attack targets TBK DVR devices and leverages the CVE-2024-3721 vulnerability, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices. Read more about this emerging threat and its implications for IoT security.
Threat actors are exploiting CVE-2024-3721 vulnerability in TBK DVR devices and EoL TP-Link Wi-Fi routers to deploy Mirai-botnet variants. The attack targets TBK DVR-4104 and DVR-4216 digital video recording devices, which leverage the XOR-encoded configuration table initialization feature. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices in the network. The Nexcorium malware displays a "nexuscorp has taken control" message and establishes persistence on the device using crontab and systemd service. The malware connects to an external server to await commands for launching DDoS attacks over UDP, TCP, and SMTP. Fortinet's analysis reveals that Nexcorium displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods. The attack uses known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities to increase its infection reach.
Threat actors have recently been identified as exploiting security flaws in TBK DVR and end-of-life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices. According to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, the attack targets TBK DVR devices and leverages the CVE-2024-3721 vulnerability, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices.
The Mirai variant, dubbed Nexcorium, is characterized by its similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices in the network and incorporates a list of hard-coded usernames and passwords for use in brute-force attacks targeting the victim's hosts by opening a Telnet connection.
Upon successful execution of the malware, it displays a message stating "nexuscorp has taken control" and establishes persistence on the device using crontab and systemd service. The malware then connects to an external server to await commands for launching DDoS attacks over UDP, TCP, and SMTP. Furthermore, the Nexcorium malware deletes the original downloaded binary to evade analysis.
Fortinet's analysis reveals that the Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. The use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.
The development comes as Unit 42 detected active, automated scans and probes attempting to exploit CVE-2023-33538 (CVSS score: 8.8), a command injection vulnerability impacting EoL TP-Link wireless routers, albeit using a flawed approach that doesn't result in a successful compromise.
Additionally, the security flaw was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025. The vulnerability affects the following models:
* TL-WR940N v2 and v4
* TL-WR740N v1 and v2
* TL-WR841N v8 and v10
The attacks, in this case, attempt to deploy a Mirai-like botnet malware, with the source code featuring numerous references to the string "Condi." It also comes equipped with the ability to update itself with a newer version and act as a web server to spread the infection to other devices that connect to it.
Given that the affected TP-Link devices are no longer actively supported, users are advised to replace them with a newer model and ensure that default credentials are not used. The threat landscape of IoT security continues to be shaped by the persistent risk of default credentials in IoT devices, which can turn a limited, authenticated vulnerability into a critical entry point for determined attackers.
The use of known exploits, such as CVE-2024-3721 and CVE-2017-17215, highlights the need for continued vigilance in the face of emerging threats. As threat actors continue to adapt and evolve their tactics, it is essential that IoT device manufacturers prioritize security updates and patching to prevent exploitation of these vulnerabilities.
In conclusion, the recent exploit of CVE-2024-3721 in TBK DVR devices by Mirai-botnet variants, dubbed Nexcorium, underscores the ongoing threat landscape of IoT security. The use of known exploits and extensive brute-force capabilities highlights the adaptability and efficacy of modern botnets in increasing their infection reach.
The importance of prioritizing security updates and patching cannot be overstated, particularly for devices that are no longer actively supported by manufacturers. Users are advised to take proactive measures to protect themselves against these types of threats, including replacing affected devices with newer models and ensuring that default credentials are not used.
As the threat landscape continues to evolve, it is essential that IoT device manufacturers prioritize security updates and patching to prevent exploitation of emerging vulnerabilities. Only through continued vigilance and proactive measures can we mitigate the impact of these threats and ensure a safer digital environment for all.
Related Information:
https://www.ethicalhackingnews.com/articles/Mirai-Variant-Nexcorium-Exploits-CVE-2024-3721-to-Hijack-TBK-DVRs-for-DDoS-Botnet-Furthering-the-Threat-Landscape-of-IoT-Security-ehn.shtml
https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html
https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign
https://nvd.nist.gov/vuln/detail/CVE-2024-3721
https://www.cvedetails.com/cve/CVE-2024-3721/
https://nvd.nist.gov/vuln/detail/CVE-2017-17215
https://www.cvedetails.com/cve/CVE-2017-17215/
https://nvd.nist.gov/vuln/detail/CVE-2023-33538
https://www.cvedetails.com/cve/CVE-2023-33538/
Published: Sat Apr 18 02:33:35 2026 by llama3.2 3B Q4_K_M
