Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

Not every cyber threat targets enterprise servers or user endpoints. Some of the most disruptive attacks begin with overlooked devices quietly running in the background. The Nexcorium campaign, a Mirai-based botnet, demonstrates how vulnerable Internet of Things (IoT) devices can be transformed into a large-scale attack infrastructure. By exploiting CVE-2024-3721 in TBK DVR systems, attackers are able to remotely execute commands and deploy malware without requiring any user interaction, making exposed devices easy targets.

This campaign reflects a familiar but evolving pattern. Mirai may be years old, but its core strategy remains effective because the conditions that enable it still exist. Many IoT devices remain unpatched, use default credentials, or are exposed directly to the internet with minimal security controls. Nexcorium builds on this weakness by combining known vulnerabilities with automated propagation, allowing attackers to scale quickly and efficiently.

Exploitation at the Edge: Turning Devices into Entry Points

At the core of Nexcorium is a command injection vulnerability that allows attackers to send specially crafted requests to vulnerable DVR devices. Once triggered, the flaw enables remote execution of system commands, effectively handing control of the device to the attacker. This type of vulnerability is particularly dangerous because it does not rely on user interaction and can be exploited at scale across internet-facing systems.

After gaining access, attackers deploy a lightweight downloader script that retrieves the main malware payload. The malware is compiled for multiple architectures, ensuring compatibility across a wide range of IoT devices. This flexibility allows Nexcorium to target diverse environments, from home routers to enterprise surveillance systems, significantly expanding its reach.

From Infection to Botnet: How Nexcorium Scales

Once installed, the Nexcorium payload behaves like a typical Mirai variant, but with enhanced propagation techniques. It scans for other vulnerable devices across the internet and attempts to log in using default or weak credentials. In parallel, it exploits additional known vulnerabilities in other device types, enabling rapid lateral spread beyond the initial infection point.

This dual approach combining exploitation and brute-force attacks allows the botnet to grow and continuously. Each newly infected device becomes part of a distributed network, contributing resources to the botnet and helping it expand further. Over time, this creates a large and resilient attack infrastructure capable of sustaining high-impact operations.

Persistence and Control: Maintaining the Botnet

Nexcorium is designed not just to infect devices, but to remain on them. It achieves persistence by modifying startup scripts, creating scheduled tasks, and embedding itself within system directories. Even if a device is rebooted, the malware can reinitialize and continue operating, making removal more difficult without proper remediation.

At the same time, infected devices communicate with command-and-control infrastructure controlled by the attackers. Through this channel, operators can issue instructions, update attack parameters, and coordinate large-scale campaigns. The use of encoded configurations helps obscure these communications, making detection more challenging for defenders.

The Real Impact: DDoS at Scale and Beyond

The primary goal of Nexcorium is to launch Distributed Denial-of-Service (DDoS) attacks. By coordinating thousands of compromised devices, attackers can generate massive volumes of traffic that overwhelm targeted systems. These attacks can disrupt websites, online services, and even critical infrastructure, leading to downtime and financial loss.

However, the impact extends beyond the targets of these attacks. Device owners may experience degraded performance, increased bandwidth usage, and potential service interruptions without realizing their devices are compromised. At a broader level, the continued growth of such botnets contributes to instability across the global internet ecosystem.

Why IoT Remains a Weak Link

The success of campaigns like Nexcorium highlights a persistent issue in cybersecurity which is IoT devices are often deployed with minimal security in mind. Many lack update mechanisms, are no longer supported by vendors, or are configured with weak authentication. These gaps create an environment where attackers can operate with relatively low effort and high impact.

As more devices become connected, the attack surface continues to expand. Without proper controls, each vulnerable device represents not just an individual risk, but a potential building block for large-scale attacks. This makes IoT security not just a technical concern, but a systemic one affecting the broader digital landscape.

Reducing Exposure: Security Starts with Basics

Defending against Nexcorium begins with addressing known weaknesses. Applying firmware updates and replacing end-of-life devices are critical steps in eliminating exploitable vulnerabilities. Devices that cannot be patched should be removed or isolated, as they represent a persistent risk.

Equally important is reducing exposure. Many attacks succeed simply because devices are accessible from the internet. Restricting access, disabling unnecessary services, and placing devices behind secure gateways can significantly reduce the likelihood of compromise. These measures do not require advanced tooling, but they are often overlooked.

Detection and Response: Staying Ahead of Botnets

Monitoring network activity is essential for identifying compromised devices. Unusual outbound traffic, repeated connection attempts, or unexpected spikes in bandwidth usage can indicate botnet activity. Early detection allows organizations to isolate affected devices before they contribute to larger attacks.

A structured incident response approach is also necessary. Infected devices should be removed from the network, reset to factory settings, and reconfigured securely before being redeployed. Without proper remediation, reinfection is highly likely, especially in environments where vulnerabilities remain unaddressed.

A Persistent Threat in a Growing Ecosystem

Nexcorium is not a new concept, but it is a clear reminder that old threats evolve faster than defenses when underlying issues remain unresolved. Mirai-based botnets continue to thrive because they exploit systemic weaknesses in how IoT devices are designed, deployed, and maintained.

The takeaway is straightforward. IoT devices must be treated as critical assets, not secondary components. As attackers continue to automate and scale their operations, even small, overlooked devices can become part of something much larger and far more disruptive.

Reference

1. https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html

2. https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign

3. https://www.cryptika.com/nexcorium-associated-mirai-variant-uses-tbk-dvr-exploit-to-scale-botnet-operations/

4. https://securityaffairs.com/190974/malware/nexcorium-mirai-variant-exploits-tbk-dvr-flaw-to-launch-ddos-attacks.html