Nexcorium Mirai variant leverages CVE-2024-3721 to compromise TBK DVRs and expand DDoS botnet operations
Summary
Hide ▲
Show ▼
A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis.
Timeline
-
18.04.2026 09:01 1 articles · 23h ago
Active exploitation of CVE-2024-3721 to deploy Nexcorium Mirai variant on TBK DVRs
Nexcorium malware is being delivered to TBK DVR-4104 and DVR-4216 devices via CVE-2024-3721, a command injection flaw. The malware establishes persistence through crontab and systemd services, uses hard-coded credentials for Telnet-based lateral movement, and awaits C2 commands to initiate multi-protocol DDoS attacks after deleting original binaries to hinder analysis.
Show sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
Information Snippets
-
CVE-2024-3721 (CVSS 6.3) in TBK DVR-4104 and DVR-4216 devices is being exploited to deliver the Nexcorium Mirai variant via a command injection flaw.
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
-
Nexcorium shares architecture with other Mirai variants, including XOR-encoded configuration tables, watchdog modules, and multi-protocol DDoS attack capabilities (UDP, TCP, SMTP).
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
-
Post-compromise actions include credential harvesting for Telnet brute-forcing, persistence via crontab/systemd, and deletion of original binaries to evade detection.
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
-
The malware incorporates an exploit for CVE-2017-17215 to target Huawei HG532 devices within the local network for further propagation.
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
-
Active exploitation of CVE-2023-33538 (CVSS 8.8), affecting EoL TP-Link routers (TL-WR940N v2/v4, TL-WR740N v1/v2, TL-WR841N v8/v10), has been observed attempting to deploy a Mirai-like botnet. Successful exploitation requires prior authentication to the router's web interface.
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
-
CVE-2023-33538 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in June 2025, reflecting its active exploitation in the wild.
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01
-
The Nexcorium payload displays a banner stating "nexuscorp has taken control" upon execution, indicating takedown or branding by the threat actor.
First reported: 18.04.2026 09:011 source, 1 articleShow sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet — thehackernews.com — 18.04.2026 09:01