CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Nexcorium Mirai variant leverages CVE-2024-3721 to compromise TBK DVRs and expand DDoS botnet operations

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions.

Timeline

  1. 18.04.2026 09:01 2 articles · 3d ago

    Active exploitation of CVE-2024-3721 to deploy Nexcorium Mirai variant on TBK DVRs

    Nexcorium malware is being delivered to TBK DVR-4104 and DVR-4216 devices via CVE-2024-3721, a command injection flaw. The malware establishes persistence through crontab and systemd services, uses hard-coded credentials for Telnet-based lateral movement, and awaits C2 commands to initiate multi-protocol DDoS attacks after deleting original binaries to hinder analysis. FortiGuard Labs analysis confirms the multi-architecture infection process (ARM, MIPS, x86-64) via a downloader script and identifies a custom HTTP header referencing "Nexus Team" in attack traffic, suggesting involvement by a previously untracked threat actor group.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cross-platform cyberattack campaigns exploiting macOS, Windows, Linux, and mobile devices escalate enterprise SOC operational gaps

Enterprise security operations centers (SOCs) face escalating operational gaps due to multi-platform cyberattack campaigns that exploit fragmented detection and response workflows across Windows endpoints, macOS devices, Linux infrastructure, and mobile platforms. Attackers leverage platform-specific behaviors to evade early triage, split investigations, and delay containment, increasing credential theft, persistence establishment, and lateral movement opportunities. SOC inefficiencies—such as delayed validations, fragmented evidence, and escalation bottlenecks—create measurable business exposure windows where threats advance before detection and response processes consolidate. Campaigns such as ClickFix illustrate how threat actors customize execution paths per operating system, using deceptive techniques (e.g., Google ad redirects to fake documentation pages) to deliver platform-specific payloads like AMOS Stealer and persistent backdoors.

Open in new tab

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

Open in new tab