Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
These articles are AI-generated summaries. Please check the original sources for full details.
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Security researchers from Fortinet and Unit 42 have identified active exploitation of vulnerability CVE-2024-3721 in TBK DVR-4104 and DVR-4216 devices. The attack deploys Nexcorium, a Mirai-based botnet that executes XOR-encoded configurations and establishes persistence via crontab and systemd.
Why This Matters
The persistence of legacy vulnerabilities in IoT devices creates a technical reality where unpatched hardware becomes a permanent staging ground for botnets. While ideal security models assume timely patching, the reality of EoL hardware like TP-Link WR940N/WR740N models means vulnerabilities like CVE-2023-33538 remain exploitable indefinitely. This architectural gap allows malware to evolve from simple scripts to sophisticated loaders-as-a-service, scaling DDoS capabilities across diverse Linux architectures without significant friction.
Key Insights
- Nexcorium uses XOR-encoded configuration tables and a watchdog module, a signature architecture shared with Mirai variants identified by Fortinet in 2026.
- CVE-2024-3721 is a medium-severity command injection flaw in TBK DVR devices that enables the delivery of Nexcorium and RondoDox botnets.
- The malware incorporates lateral movement via CVE-2017-17215, targeting Huawei HG532 devices through automated exploitation.
- Persistence is established using crontab and systemd, followed by the deletion of the original binary to evade forensic analysis.
- CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog in June 2025, highlighting the ongoing risk of EoL TP-Link routers.
Practical Applications
- IoT Fleet Management: Replacing end-of-life TP-Link models like TL-WR841N to prevent CVE-2023-33538 exploitation. Pitfall: Relying on default credentials allows authenticated vulnerabilities to become critical entry points.
- Network Monitoring: Scanning for Nexcorium’s ‘nexuscorp has taken control’ string in shell outputs. Pitfall: Failing to monitor crontab or systemd services allows the malware to maintain persistence after binary deletion.
References:
Continue reading
Next article
Optimizing Engineering Throughput: Why Speed Does Not Equal Velocity
Related Content
Experts Report Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices
Cybersecurity researchers highlight a surge in botnet attacks exploiting PHP vulnerabilities, IoT weaknesses, and cloud misconfigurations, with DDoS capacities exceeding 20 Tbps and credential stuffing campaigns.
Operation WrtHug Exploits ASUS Router Flaws, Compromising 50,000+ Devices
Operation WrtHug exploits six ASUS WRT vulnerabilities to hijack over 50,000 end-of-life routers globally.
Trojanized ESET Installers Used in Phishing Campaigns to Deploy Kalambur Backdoor in Ukraine
A Russia-aligned threat group, InedibleOchotense, is exploiting ESET's reputation through phishing attacks to deploy the Kalambur backdoor in Ukraine, alongside Sandworm's wiper campaigns and RomCom's WinRAR 0-day exploits.