Overview
Security researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have documented active exploitation campaigns deploying a new Mirai botnet variant dubbed Nexcorium. The campaign targets TBK DVR (Digital Video Recorder) devices by exploiting CVE-2024-3721, as well as end-of-life (EoL) TP-Link Wi-Fi routers vulnerable to known unpatched flaws. Compromised devices are absorbed into a DDoS botnet.
Nexcorium: A New Mirai Variant
Nexcorium is a freshly identified variant of the long-running Mirai malware family, first discovered in 2016 targeting IoT devices for DDoS amplification. Like its predecessors, Nexcorium:
- Scans the internet for devices with known vulnerabilities or weak/default credentials
- Exploits discovered weaknesses to gain remote access and deploy the malware payload
- Enrolls the compromised device into a command-and-control (C2) botnet infrastructure
- Receives instructions to participate in distributed denial-of-service attacks against attacker-specified targets
Nexcorium's distinguishing features compared to baseline Mirai include updated exploit modules targeting 2024–2026 CVEs, improved evasion of basic honeypot detection, and support for additional DDoS attack vectors.
CVE-2024-3721: TBK DVR Exploitation
CVE-2024-3721 is a critical vulnerability in TBK Vision DVR devices — a brand of digital video recorders widely deployed in commercial and residential surveillance systems worldwide.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-3721 |
| Affected Device | TBK Vision DVR |
| Attack Vector | Network (unauthenticated) |
| Impact | Remote code execution / shell access |
| Exploitation Status | Actively exploited |
The flaw allows an unauthenticated remote attacker to execute arbitrary commands on the affected DVR. Exploitation is straightforward: attackers send a crafted HTTP request to the device's web management interface, triggering command execution and enabling the Nexcorium payload to be downloaded and executed.
TBK DVRs are frequently internet-exposed, have long device lifecycles (no automatic updates), and are often configured with default credentials — making them persistent targets for IoT botnets.
TP-Link End-of-Life Router Targeting
In parallel with the TBK DVR campaign, Nexcorium also targets TP-Link Wi-Fi routers that have reached end-of-life and no longer receive security patches. These devices include several home and SMB router models whose firmware vulnerabilities are publicly known but cannot be officially patched.
The exploitation of EoL devices is a persistent IoT security challenge: organizations and consumers continue operating devices past vendor support lifespans, leaving them permanently vulnerable to botnet recruitment.
Active Exploitation Evidence
Fortinet FortiGuard Labs documented:
- Ongoing scanning activity targeting TBK DVR web interfaces on TCP/80 and TCP/8080
- Payload delivery consistent with Nexcorium binary signatures
- C2 infrastructure operating across multiple geographic regions
- DDoS attack traffic originating from botnet nodes after successful recruitment
Palo Alto Networks Unit 42 corroborated the campaign with independent telemetry showing widespread scanning for CVE-2024-3721 across their sensor network.
Affected Devices and Remediation
TBK DVR Devices
| Action | Details |
|---|---|
| Check for patches | Visit the TBK Vision website for available firmware updates |
| Disable remote access | Restrict web interface access to trusted IP addresses only |
| Change default credentials | Replace factory default admin credentials immediately |
| Network segmentation | Place DVRs on an isolated VLAN — no direct internet exposure |
| Consider replacement | Devices no longer receiving patches should be replaced with actively supported models |
TP-Link EoL Routers
| Action | Details |
|---|---|
| Replace the device | No security patches will be issued — replacement is the only long-term solution |
| Interim: disable remote management | Turn off WAN-facing admin interfaces |
| Firewall upstream | Block inbound management traffic at the ISP/modem level |
| Monitor for anomalies | Unexpected outbound traffic, high CPU, or unknown connections may indicate compromise |
Detecting Nexcorium Infection
Signs that a device may already be compromised by Nexcorium or a Mirai variant:
- Unusually high CPU/memory usage on the device
- Unexpected outbound connections to unknown IP addresses
- Slow or unresponsive web management interface
- Device reboots without user action
- Participation in DDoS events against third parties (reported by upstream ISP)
Recovery: Rebooting the device clears the in-memory Mirai infection (Mirai does not typically achieve persistence beyond reboot). However, if the underlying vulnerability is not patched or remote access is not restricted, re-infection will occur rapidly.
Why IoT Botnets Persist
The continued effectiveness of Mirai-family botnets reflects several structural challenges in IoT security:
- No automatic patching — most IoT devices require manual firmware updates that consumers never apply
- Long device lifespans — hardware is kept far beyond vendor support windows
- Default credentials — factory defaults remain unchanged in millions of deployed units
- Internet exposure — devices intended for local use are frequently exposed directly to the internet via UPnP or manual port forwarding
- No endpoint security — IoT devices lack EDR, AV, or behavioral monitoring capabilities
Until IoT device manufacturers and consumers address these structural issues, Mirai-family botnets will remain a persistent and growing threat to internet infrastructure.