Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
Summary
Hide ▲
Show ▼
Nexcorium, a Mirai variant, is now being deployed against TBK DVR-4104 and DVR-4216 devices by exploiting CVE-2024-3721, turning compromised IoT hardware into a DDoS botnet. The malware matters because it can establish persistence, survive reboots, and expand the infection to other hosts. It also uses a downloader stage and architecture-aware payload delivery to widen reach across Linux-based devices. The activity increases the risk of long-lived botnet enrollment and outbound attack traffic from exposed DVRs.
Related Happenings
Fast16 Lua-based network worm
Malware Activity
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityAbout this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
How related:
The activity targets CVE-2024-3721 in TBK DVR systems, enabling attackers to gain access and install a multi-architecture Mirai variant malware known as Nexcorium.
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityHow related: The activity targets CVE-2024-3721 in TBK DVR systems, enabling attackers to gain access and install a multi-architecture Mirai variant malware known as Nexcorium.
About this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Timeline
-
18.04.2026 09:01 2 articles · 1mo ago
Nexcorium deployment against TBK DVR devices
Initial DisclosureThreat actors are exploiting CVE-2024-3721 against TBK DVR-4104 and DVR-4216 digital video recording devices to deliver Nexcorium, a Mirai variant. The malware drops a downloader, selects the payload by the Linux system's architecture, displays the message "nexuscorp has taken control," and can establish persistence, delete the original binary, and launch DDoS attacks over UDP, TCP, and SMTP.
Show sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
- Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based Botnet — www.infosecurity-magazine.com — 20.04.2026 16:01