Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
Summary
Hide ▲
Show ▼
Nexcorium, a Mirai variant, is now being deployed against TBK DVR-4104 and DVR-4216 devices by exploiting CVE-2024-3721, turning compromised IoT hardware into a DDoS botnet. The malware matters because it can establish persistence, survive reboots, and expand the infection to other hosts. It also uses a downloader stage and architecture-aware payload delivery to widen reach across Linux-based devices. The activity increases the risk of long-lived botnet enrollment and outbound attack traffic from exposed DVRs.
Related Happenings
DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)
Vulnerability
H score45
First: 07.06.2026 17:17
Last: 07.06.2026 17:17
Sources 1
About this happening:
**DD-WRT router firmware** is affected by **CVE-2021-27137**, a **buffer overflow** now being used by **C0XMO** to deliver malware and enable **unauthenticated remote code executi...
DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)
VulnerabilityAbout this happening: **DD-WRT router firmware** is affected by **CVE-2021-27137**, a **buffer overflow** now being used by **C0XMO** to deliver malware and enable **unauthenticated remote code executi...
C0XMO Gafgyt botnet activity on DD-WRT routers
Malware Activity
H score19
First: 07.06.2026 17:17
Last: 07.06.2026 17:17
Sources 1
About this happening:
The **C0XMO** botnet is spreading through **DD-WRT router firmware** and other internet-facing devices, increasing the pool of systems available for **DDoS** attacks. It exploits...
C0XMO Gafgyt botnet activity on DD-WRT routers
Malware ActivityAbout this happening: The **C0XMO** botnet is spreading through **DD-WRT router firmware** and other internet-facing devices, increasing the pool of systems available for **DDoS** attacks. It exploits...
Fast16 Lua-based network worm
Malware Activity
H score14
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityAbout this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
H score38
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Timeline
-
18.04.2026 09:01 2 articles · 2mo ago
Nexcorium deployment against TBK DVR devices
Initial DisclosureThreat actors are exploiting CVE-2024-3721 against TBK DVR-4104 and DVR-4216 digital video recording devices to deliver Nexcorium, a Mirai variant. The malware drops a downloader, selects the payload by the Linux system's architecture, displays the message "nexuscorp has taken control," and can establish persistence, delete the original binary, and launch DDoS attacks over UDP, TCP, and SMTP.
Show sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
- Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based Botnet — www.infosecurity-magazine.com — 20.04.2026 16:01