Nexcorium: Aggressive Mirai Botnet Exploits Critical IoT Vulnerability
A new Mirai malware variant dubbed Nexcorium is actively compromising unpatched Internet of Things (IoT) devices, with attackers exploiting a severe vulnerability in TBK DVR systems to construct a massive botnet capable of launching devastating distributed denial-of-service (DDoS) attacks.
According to recent FortiGuard Labs research, the campaign primarily targets CVE-2024-3721 – a high-severity operating system command injection flaw affecting TBK DVR-4104 and DVR-4216 models. Hackers leverage this weakness to bypass security mechanisms and deploy a malicious downloader script.

Analysis of attack traffic revealed a distinctive HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic,” which serves as a fingerprint linking activities to the emerging “Nexus Team” threat actor.
Malware Behavior and Rapid Spread
After script deployment, Nexcorium fetches its payload. The malware exhibits remarkable adaptability, targeting multiple Linux device architectures including ARM, MIPS, and x86-64. Upon successful execution, it displays a concealed system message: “nexuscorp has taken control.”
While operating similarly to traditional Mirai botnets, Nexcorium employs aggressive propagation tactics post-infection. It immediately scans for vulnerable targets, deploying a secondary exploit targeting CVE-2017-17215 in Huawei HG532 routers. Additionally, it uses a hard-coded dictionary of weak credentials like “admin,” “12345,” and “guest” to brute-force entry via Telnet connections.

To ensure persistence, Nexcorium employs a multi-layered approach:
- Init Configuration: Modifies
/etc/inittabto restart malicious processes upon termination - Startup Scripts: Alters local startup files for execution at boot
- Systemd Services: Creates hidden background services running automatically
- Cron Jobs: Schedules tasks to periodically relaunch malware
After securing persistence, Nexcorium deletes installation files to evade detection.

The botnet ultimately coordinates DDoS attacks via command-and-control servers, supporting over ten attack methods including UDP/TCP SYN floods and SMTP floods to overwhelm diverse targets.
Mitigation Strategies
- Apply immediate firmware patches for affected TBK DVRs, Huawei routers, and IoT hardware
- Replace all default credentials with complex, unique passwords
- Disable external Telnet access and restrict internet exposure of critical devices
- Monitor for abnormal outbound connections and automated scanning behavior