Nexcorium botnet active

A botnet called Nexcorium is hijacking TBK digital video recorders and older TP-Link routers, then using them as launchpads for distributed denial-of-service attacks. (fortinet.com) A botnet is a pool of hacked machines that obey one operator, and a distributed denial-of-service attack floods a target with traffic until it slows or drops offline. Fortinet said Nexcorium is a Mirai variant, meaning it follows the same playbook that made Mirai notorious for turning internet-connected gadgets into attack nodes. (fortinet.com) Fortinet published its analysis on April 17, 2026 and said the campaign exploits CVE-2024-3721 in TBK DVR-4104 and DVR-4216 devices. The National Vulnerability Database describes that flaw as an operating system command injection bug in the `/device.rsp` interface tied to the `mdb` and `mdc` arguments. (fortinet.com) (nvd.nist.gov) In plain terms, command injection lets an attacker smuggle system commands through a web request, like slipping new instructions into a form that was supposed to carry only settings. Fortinet said the attackers use that opening to drop a script named `dvr`, pull malware files for ARM, MIPS R3000, and x86-64 systems, mark them executable, and run them on the device. (fortinet.com) Fortinet said the malware stores a command-and-control server address, persistence commands, a brute-force password list, and DDoS instructions inside its code. The company also said the exploit traffic carried a custom `X-Hacked-By` header with the value “Nexus Team – Exploited By Erratic,” and it tentatively linked the activity to a little-known actor it calls Nexus Team. (fortinet.com) The same campaign also reaches for CVE-2023-33538 in discontinued TP-Link routers, according to recent reporting and separate research from Palo Alto Networks Unit 42. The National Vulnerability Database says that flaw affects TL-WR940N V2 and V4, TL-WR841N V8 and V10, and TL-WR740N V1 and V2 through the `/userRpm/WlanNetworkRpm` component. (thehackernews.com) (origin-unit42.paloaltonetworks.com) (nvd.nist.gov) CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog in June 2025, and Unit 42 said it observed large-scale exploitation attempts after that listing. Unit 42 also said the recent exploit chains it analyzed were flawed and that successful use of the bug would require access to the router’s web interface. (cisa.gov) (origin-unit42.paloaltonetworks.com) That split matters for defenders because the TP-Link bug is real even when some live attack attempts fail, while the TBK chain already shows a working infection path. In both cases, the exposed gear sits at the network edge, where old routers and video recorders often stay online for years with weak passwords, no monitoring, or no vendor support. (fortinet.com) (origin-unit42.paloaltonetworks.com) Mirai has survived for nearly a decade by doing exactly that: scanning for neglected devices, adding them to a botnet, and reusing public vulnerabilities faster than owners patch or replace the hardware. Nexcorium follows the same pattern, with new code on top of an old lesson that unsupported internet-facing devices do not stay quiet for long. (fortinet.com)