Nexcorium Mirai variant

A botnet is a swarm of hacked internet devices, and researchers say a Mirai offshoot called Nexcorium is now pulling TBK digital video recorders into one by exploiting CVE-2024-3721. (fortinet.com) Fortinet said on April 17, 2026 that the campaign targets TBK DVR-4104 and DVR-4216 devices through an operating-system command injection bug in `/device.rsp`, using manipulated `mdb` and `mdc` arguments to run attacker commands remotely. (fortinet.com) (nvd.nist.gov) The malware arrives through a downloader script called `dvr`, then pulls binaries for several processor types, including ARM, MIPS R3000, and x86-64, so the same campaign can hit many kinds of embedded hardware. (fortinet.com) Once running, Nexcorium shows the string “nexuscorp has taken control” and uses familiar Mirai building blocks, including a watchdog process, an encoded configuration table, and a distributed denial-of-service attack module. (fortinet.com) Mirai is malware built to turn internet-connected cameras, routers, and recorders into traffic cannons that can overwhelm targets with junk requests. Unit 42 and earlier Mirai research have shown the family keeps spreading by reusing old device bugs and default-password attacks against poorly maintained hardware. (unit42.paloaltonetworks.com 1) (unit42.paloaltonetworks.com 2) This campaign also reaches beyond DVRs. Unit 42 said attackers have attempted to exploit CVE-2023-33538, a command injection flaw affecting TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 routers, with payloads that match Mirai-style activity. (unit42.paloaltonetworks.com) (nvd.nist.gov) NIST lists CVE-2023-33538 as a high-severity bug with a CVSS 3.1 score of 8.8, and its record says the flaw is in CISA’s Known Exploited Vulnerabilities catalog. TP-Link said affected products had reached end of service, though it posted patched firmware for some models in November 2024 and urged customers to move to newer hardware. (nvd.nist.gov) (tp-link.com) The TBK flaw has been under active attack for months. FortiGuard said its sensors recorded more than 60,000 detection events tied to CVE-2024-3721 in a July 2025 outbreak alert, pointing to broad scanning before the newer Nexcorium write-up named the malware family. (fortiguard.com) Fortinet linked the latest activity to a little-known actor it calls “Nexus Team” after seeing the custom `X-Hacked-By` header “Nexus Team – Exploited By Erratic” in exploit traffic. The company said the malware’s embedded configuration includes a command-and-control server, persistence commands, a brute-force wordlist, and DDoS instructions fetched from that server. (fortinet.com) The pattern is familiar: old routers and security gear stay online for years, keep their public web interfaces exposed, and get folded into attack networks long after vendors stop supporting them. Nexcorium adds another case where the cheapest boxes on a network become the easiest machines to weaponize. (tp-link.com) (fortinet.com)