According to research from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, threat actors are exploiting security flaws in TBK DVRs and End of Life (EoL) TP-Link Wi-Fi routers to deploy Mirai botnet variants on compromised devices.
The attack targeting TBK DVR devices was found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium.
“IoT devices are becoming prime targets for increasingly large-scale attacks due to their widespread use, lack of patching, and often weak security configurations,” said security researcher Vincent Lee. “Threat actors continue to exploit known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial of service (DDoS) attacks.”
This is not the first time this vulnerability has been exploited. Over the past year, this security issue has been exploited to introduce variants of Mirai and a relatively new botnet called RondoDox. In September 2025, CloudSEK also revealed details of a large loader-as-a-service botnet that was distributing RondoDox, Mirai, and Morte payloads through weak credentials and outdated flaws in routers, IoT devices, and enterprise apps.
The attack campaign outlined by Fortinet involves exploiting CVE-2024-3721 to obtain and drop a downloader script, then launch a botnet payload based on the Linux system architecture. Once the malware executes, you will see a message that says “nexuscorp has taken control.”
“Nexcorium has a similar architecture to the Mirai variant, including an XOR-encoded configuration table initialization, a watchdog module, and a DDoS attack module,” the security vendor said.
The malware also includes an exploit for CVE-2017-17215 that targets Huawei HG532 devices in the network, with a hardcoded list of usernames and passwords used for brute force attacks to open Telnet connections and target victim hosts.
After a successful Telnet login, it obtains a shell, sets persistence using crontab and systemd services, and waits for commands to connect to an external server and launch a DDoS attack via UDP, TCP, and SMTP. Once persistence is established on the device, the malware deletes the original downloaded binary to avoid analysis.
“The Nexcorium malware exhibits typical characteristics of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence techniques to maintain long-term access to infected systems,” Fortinet said. “The use of known exploits such as CVE-2017-17215 and extensive brute force capabilities highlight its adaptability and effectiveness in expanding its reach.”
This development comes after Unit 42 announced that it had detected active automated scans and probes attempting to exploit CVE-2023-33538 (CVSS score: 8.8), a command injection vulnerability affecting EoL TP-Link wireless routers. However, the security breach uses a flawed approach that was not successful.
It is worth noting that this security flaw was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog in June 2025. This vulnerability affects the following models:
TL-WR940N v2 and v4 TL-WR740N v1 and v2 TL-WR841N v8 and v10
Researchers Asher Davila, Malav Vyas and Chris Navarrete said: “Although the actual attacks we observed were flawed and could have failed, our analysis confirms that the underlying vulnerability is real.” “Successful exploitation requires authentication to the router’s web interface.”
The attack in this case attempts to deploy Mirai-like botnet malware using source code that contains numerous references to the string “Condi.” It also has the ability to act as a web server that updates itself with new versions and spreads the infection to other connected devices.
Affected TP‑Link devices are no longer actively supported and we recommend that users replace their devices with newer models and avoid using default credentials.
“For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials on IoT devices,” Unit 42 said. “These credentials can turn a limited, authenticated vulnerability into a critical point of entry for a determined attacker.”
Source link
