Find notable cyber news and cases, enriched with sources, timelines, and signals.

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First reported
Last updated
Happening score
H score 27
2 unique sources, 2 articles

Summary

Hide ▲

Nexcorium, a Mirai variant, is now being deployed against TBK DVR-4104 and DVR-4216 devices by exploiting CVE-2024-3721, turning compromised IoT hardware into a DDoS botnet. The malware matters because it can establish persistence, survive reboots, and expand the infection to other hosts. It also uses a downloader stage and architecture-aware payload delivery to widen reach across Linux-based devices. The activity increases the risk of long-lived botnet enrollment and outbound attack traffic from exposed DVRs.

Related Happenings

DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)

Vulnerability
H score45 First: 07.06.2026 17:17 Last: 07.06.2026 17:17 Sources 1

About this happening: **DD-WRT router firmware** is affected by **CVE-2021-27137**, a **buffer overflow** now being used by **C0XMO** to deliver malware and enable **unauthenticated remote code executi...

C0XMO Gafgyt botnet activity on DD-WRT routers

Malware Activity
H score19 First: 07.06.2026 17:17 Last: 07.06.2026 17:17 Sources 1

About this happening: The **C0XMO** botnet is spreading through **DD-WRT router firmware** and other internet-facing devices, increasing the pool of systems available for **DDoS** attacks. It exploits...

Fast16 Lua-based network worm

Malware Activity
H score14 First: 27.04.2026 16:09 Last: 27.04.2026 16:09 Sources 1

About this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
H score66 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
H score38 First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Timeline

  1. 18.04.2026 09:01 2 articles · 2mo ago

    Nexcorium deployment against TBK DVR devices

    Initial Disclosure

    Threat actors are exploiting CVE-2024-3721 against TBK DVR-4104 and DVR-4216 digital video recording devices to deliver Nexcorium, a Mirai variant. The malware drops a downloader, selects the payload by the Linux system's architecture, displays the message "nexuscorp has taken control," and can establish persistence, delete the original binary, and launch DDoS attacks over UDP, TCP, and SMTP.

    Show sources