Full Report
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting
Analysis Summary
# Tool/Technique: Nexcorium (Mirai Variant)
## Overview
Nexcorium is a modern variant of the Mirai botnet specifically designed to target Internet of Things (IoT) devices, such as Digital Video Recorders (DVRs) and wireless routers. Its primary purpose is to hijack vulnerable devices to build a distributed denial-of-service (DDoS) botnet infrastructure. It leverages a combination of known vulnerabilities and brute-force attacks to gain initial access and spread laterally.
## Technical Details
- **Type:** Malware Family (Mirai variant)
- **Platform:** Linux-based IoT devices (Multiple architectures supported)
- **Capabilities:** Command injection exploitation, Telnet brute-forcing, DDoS execution, persistence, and lateral movement.
- **First Seen:** Associated with active campaigns reported in April 2026 (building on variants seen as early as late 2024/2025).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- [T1110.001 - Brute Force: Password Guessing]
- **[TA0003 - Persistence]**
- [T1053.003 - Scheduled Task/Job: Cron]
- [T1543.002 - Create or Modify System Process: Systemd Service]
- **[TA0005 - Defense Evasion]**
- [T1070.004 - Indicator Removal: File Deletion]
- [T1140 - Deinterleave, Decompress, or Decrypt Information]
- **[TA0040 - Impact]**
- [T1498.001 - Network Denial of Service: Direct Network Flood]
## Functionality
### Core Capabilities
- **Vulnerability Exploitation:** Targets CVE-2024-3721 (TBK DVR) and CVE-2023-33538 (TP-Link Routers) for initial compromise.
- **Cross-Platform Support:** Deploys architectural-specific payloads based on the target Linux system (ARM, MIPS, etc.).
- **DDoS Module:** Capable of launching large-scale attacks via UDP, TCP, and SMTP protocols.
- **Configuration Security:** Uses XOR-encoded configuration tables to hide C2 strings and operational settings from static analysis.
### Advanced Features
- **Lateral Movement:** Includes an exploit for CVE-2017-17215 to compromise Huawei HG532 devices within the same network.
- **Embedded Brute-Forcer:** Contains a hard-coded list of usernames and passwords specifically for Telnet-based credential stuffing.
- **Self-Preservation:** Deletes the original downloader binary and provides a status message ("nexuscorp has taken control") upon successful infection.
## Indicators of Compromise
- **File Hashes:** (Specific hashes not provided in article; typically varies by architecture).
- **File Names:** Nexcorium (secondary payload), various architecture-specific binary names.
- **Registry Keys:** N/A (Linux-based).
- **Network Indicators:**
- External C2 connection for DDoS commands (Hostnames defanged: `nexuscorp[.]xyz` or related domains).
- Outbound Telnet (Port 23) scanning activity.
- **Behavioral Indicators:**
- Modification of `crontab` files.
- Creation of new `systemd` services.
- Sudden spikes in outbound UDP/TCP/SMTP traffic.
## Associated Threat Actors
- While specific named groups were not identified, the malware is part of the "Loader-as-a-Service" ecosystem, frequently associated with campaigns distributing **RondoDox**, **Mirai**, and **Morte** payloads.
## Detection Methods
- **Signature-based detection:** Scanning for Mirai-consistent XOR-encoded strings and specific Nexcorium banner messages.
- **Behavioral detection:** Monitoring for unauthorized changes to system persistence files (`/etc/crontab`, `/etc/systemd/system/`).
- **Network Monitoring:** Identifying high-frequency exploitation attempts targeting `/login.rsp` (TBK DVR) or automated probes for TP-Link vulnerabilities.
## Mitigation Strategies
- **Prevention:** Immediately patch TBK DVR-4104/4216 devices against CVE-2024-3721.
- **Hardening:** Disable Telnet services on all IoT devices; use SSH with key-based authentication if remote access is required.
- **Credential Hygiene:** Change default manufacturer passwords to complex, unique strings.
- **Network Segmentation:** Isolate IoT devices (cameras, routers, DVRs) into a dedicated VLAN with restricted outbound internet access.
## Related Tools/Techniques
- **RondoDox:** Another botnet often deployed via the same vulnerabilities.
- **Morte:** A payload frequently distributed alongside Nexcorium via loader-as-a-service.
- **CVE-2017-17215:** Legacy Huawei exploit integrated into Nexcorium's code for propagation.