Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
These articles are AI-generated summaries. Please check the original sources for full details.
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Security researchers from Fortinet and Unit 42 have identified active exploitation of vulnerability CVE-2024-3721 in TBK DVR-4104 and DVR-4216 devices. The attack deploys Nexcorium, a Mirai-based botnet that executes XOR-encoded configurations and establishes persistence via crontab and systemd.
Why This Matters
The persistence of legacy vulnerabilities in IoT devices creates a technical reality where unpatched hardware becomes a permanent staging ground for botnets. While ideal security models assume timely patching, the reality of EoL hardware like TP-Link WR940N/WR740N models means vulnerabilities like CVE-2023-33538 remain exploitable indefinitely. This architectural gap allows malware to evolve from simple scripts to sophisticated loaders-as-a-service, scaling DDoS capabilities across diverse Linux architectures without significant friction.
Key Insights
- Nexcorium uses XOR-encoded configuration tables and a watchdog module, a signature architecture shared with Mirai variants identified by Fortinet in 2026.
- CVE-2024-3721 is a medium-severity command injection flaw in TBK DVR devices that enables the delivery of Nexcorium and RondoDox botnets.
- The malware incorporates lateral movement via CVE-2017-17215, targeting Huawei HG532 devices through automated exploitation.
- Persistence is established using crontab and systemd, followed by the deletion of the original binary to evade forensic analysis.
- CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog in June 2025, highlighting the ongoing risk of EoL TP-Link routers.
Practical Applications
- IoT Fleet Management: Replacing end-of-life TP-Link models like TL-WR841N to prevent CVE-2023-33538 exploitation. Pitfall: Relying on default credentials allows authenticated vulnerabilities to become critical entry points.
- Network Monitoring: Scanning for Nexcorium’s ‘nexuscorp has taken control’ string in shell outputs. Pitfall: Failing to monitor crontab or systemd services allows the malware to maintain persistence after binary deletion.
References:
Continue reading
Next article
Scraping SAM.gov and USASpending for Federal Contracts via Python
Related Content
Experts Report Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices
Cybersecurity researchers highlight a surge in botnet attacks exploiting PHP vulnerabilities, IoT weaknesses, and cloud misconfigurations, with DDoS capacities exceeding 20 Tbps and credential stuffing campaigns.
Operation WrtHug Exploits ASUS Router Flaws, Compromising 50,000+ Devices
Operation WrtHug exploits six ASUS WRT vulnerabilities to hijack over 50,000 end-of-life routers globally.
Trojanized ESET Installers Used in Phishing Campaigns to Deploy Kalambur Backdoor in Ukraine
A Russia-aligned threat group, InedibleOchotense, is exploiting ESET's reputation through phishing attacks to deploy the Kalambur backdoor in Ukraine, alongside Sandworm's wiper campaigns and RomCom's WinRAR 0-day exploits.