A new iteration of the notorious Mirai botnet, dubbed Nexcorium, has emerged in the wild, aggressively targeting internet-connected video recording devices. <\/p>\n
According to recent threat research published by Fortinet\u2019s FortiGuard Labs, threat actors are exploiting a known command injection vulnerability<\/a> to hijack TBK DVR systems and construct a large-scale Distributed Denial-of-Service (DDoS) botnet.<\/p>\n Fortinet researchers report that the campaign specifically targets TBK DVR-4104 and DVR-4216 models by exploiting CVE-2024-3721. This OS command injection flaw allows attackers to deliver a downloader script by manipulating arguments within the device system. <\/p>\n During the exploitation phase, network traffic reveals a custom HTTP header reading \u201cX-Hacked-By: Nexus Team \u2013 Exploited By Erratic,\u201d leading FortiGuard Labs to attribute the campaign to a relatively unknown threat actor identified as the \u201cNexus Team<\/a>\u201c.<\/p>\n Once the downloader script executes, it fetches multi-architecture payloads supporting ARM, MIPS, and x86-64 environments, subsequently displaying a console message stating \u201cnexuscorp has taken control\u201d.<\/p>\n Fortinet\u2019s analysis reveals that Nexcorium shares fundamental architecture with traditional Mirai variants<\/a>, utilizing XOR-encoded configurations and modular components. The technical operation relies on several core mechanisms:<\/a><\/p>\n To maintain long-term access to compromised systems, the malware establishes persistence<\/a> through four distinct mechanisms rather than relying on a single configuration file. The botnet secures its foothold by:<\/a><\/p>\n Following this extensive setup, Fortinet notes that Nexcorium deletes its original binary from the execution path to thwart security analysts.<\/p>\n The primary objective of the Nexus Team campaign is launching devastating DDoS attacks. Based on FortiGuard Labs\u2019 decryption of the malware\u2019s configuration table<\/a>, Nexcorium communicates with a centralized command-and-control (C2) server to receive attack directives. <\/p>\n Instead of a narrow attack scope, the botnet is equipped with a versatile arsenal of flood techniques. These include standard UDP, TCP ACK, TCP SYN, SMTP, and TCP PSH floods, alongside specialized attack vectors like VSE query floods and UDP blast attacks.<\/p>\n The discovery of Nexcorium highlights the continuous weaponization of legacy IoT devices. Security experts strongly advise organizations to immediately patch CVE-2024-3721, replace default manufacturer credentials, and isolate critical infrastructure from vulnerable IoT endpoints using network segmentation.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Nexcorium-Associated Mirai Variant Uses TBK DVR Exploit to Scale Botnet Operations<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\u00a0Exploit](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/04\/image-67.png?ssl=1\")
Technical Capabilities and Infection Mechanisms<\/strong><\/h2>\n
\n
![\"\u00a0XOR-Encoded](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/04\/image-66.png?ssl=1\")
\n
\/etc\/inittab<\/code>\u00a0to ensure automatic process restarts if the malware is terminated.<\/a>\n<\/li>\n\/etc\/rc.local<\/code>\u00a0to guarantee execution during the device\u2019s system startup sequence.<\/a>\n<\/li>\npersist.service<\/code>\u00a0for persistent background operation.<\/a>\n<\/li>\n![\"Parsing](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/04\/image-65.png?ssl=1\")