Key Findings

• Fortinet's FortiGuard Labs discovered Nexcorium, a new Mirai variant targeting DVR devices globally to build a DDoS botnet

• Attackers exploit CVE-2024-3721, a command injection vulnerability in TBK DVR-4104 and DVR-4216 models, to gain remote access

• The malware displays a "NexusCorp has taken control" message, attributed to the Nexus Team based on code signatures

• Nexcorium supports multiple processor architectures and uses extensive persistence methods to survive reboots

• The malware includes over 50 hardcoded default credentials for brute-forcing access to other connected devices

• Primary objective is launching large-scale DDoS attacks using compromised IoT devices

Background

DVR devices used for security camera systems have become attractive targets for cybercriminals because they're rarely updated and often run with default security settings. TBK models specifically are common in deployments worldwide, making them ideal for building large botnets. The Nexus Team appears to be behind this campaign, using a Mirai-based approach that's proven effective against IoT infrastructure for years. Unlike traditional malware targeting computers, IoT-focused botnets can operate quietly in the background, quietly accumulating infected devices.

Exploitation Method

Attackers abuse CVE-2024-3721 by sending specially crafted requests to vulnerable DVR devices. The vulnerability allows command injection, meaning attackers can execute arbitrary code directly on the system. Once exploited, a downloader script retrieves the actual malware payload, which comes compiled for different processor types like ARM, MIPS, and x86-64. This multi-architecture approach ensures the malware works across diverse device types, maximizing infection rates.

Malware Capabilities and Persistence

Nexcorium is built to stay embedded in systems long-term. It copies itself into multiple system directories and uses four different persistence methods: modifying the inittab file for automatic startup, updating rc.local scripts, creating systemd services, and adding cron jobs. After establishing persistence, it deletes the original binary to hide its tracks from detection tools.

The malware contains over 50 hardcoded passwords including common defaults like admin123, 12345, and device-specific credentials like hikvision. It uses these credentials to brute-force access to other routers and cameras on the same network, continuously expanding the botnet without human intervention.

DDoS Attack Capabilities

Once a device is compromised, Nexcorium connects to command and control servers to receive attack instructions. The malware supports multiple DDoS attack types including UDP and TCP floods. It can receive commands to start attacks, stop them, or even terminate itself if needed. The real damage happens when thousands of these hijacked devices simultaneously flood a target website with fake traffic, overwhelming servers until they crash.

Attribution and Known Exploits

Code analysis reveals the attackers' identity as the Nexus Team, with signatures reading "Nexus Team – Exploited By Erratic" embedded in the malware. The group isn't entirely new to the scene but this campaign shows sophistication in combining multiple known vulnerabilities. Beyond exploiting CVE-2024-3721, Nexcorium also includes exploits for CVE-2017-17215, which targets Huawei devices, showing the attackers' willingness to chain vulnerabilities for maximum reach.

Defense Recommendations

Organizations using TBK DVRs or similar devices should immediately change default passwords and enable strong authentication. Software updates should be applied promptly when available, though many of these devices are end-of-life and no longer receive patches. Network segmentation helps contain compromised devices, preventing them from reaching other systems. Security teams should scan for unexpected outbound connections or high CPU usage, which could indicate an infected device running DDoS attacks.

Sources

• https://hackread.com/mirai-variant-nexcorium-dvr-devices-ddos-attacks/

• https://securityaffairs.com/190974/malware/nexcorium-mirai-variant-exploits-tbk-dvr-flaw-to-launch-ddos-attacks.html

• https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html

• https://x.com/HackRead/status/2045142514185764915

• https://x.com/cybernewslive/status/2045264260280864787

• https://www.reddit.com/r/InfoSecNews/comments/1so1woe/new_mirai_variant_nexcorium_is_hijacking_dvr/

• https://news.backbox.org/2026/04/17/new-mirai-variant-nexcorium-hijacks-dvr-devices-for-ddos-attacks/