Cybersecurity researchers have recently uncovered widespread campaigns by threat actors exploiting critical security vulnerabilities in both TBK Digital Video Recorders (DVRs) and several end-of-life (EoL) TP-Link Wi-Fi router models. These coordinated attacks aim to deploy sophisticated variants of the infamous Mirai botnet onto compromised Internet of Things (IoT) devices, transforming them into digital foot soldiers for large-scale distributed denial-of-service (DDoS) attacks. Findings from leading cybersecurity firms Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 independently corroborate the escalating threat, highlighting the persistent danger posed by unpatched and unsupported IoT hardware in the global digital landscape.
The campaigns underscore a critical vulnerability in the expanding ecosystem of connected devices, which often remain unmonitored and unpatched, creating fertile ground for malicious exploitation. The Mirai botnet, known for its ability to harness vast numbers of IoT devices for overwhelming DDoS attacks, continues to evolve, with new variants constantly emerging to leverage freshly discovered or long-forgotten security flaws. This latest wave of attacks serves as a stark reminder of the imperative for robust cybersecurity practices, not just for traditional IT infrastructure but also for the myriad of IoT devices that increasingly permeate homes and businesses.
Targeting TBK DVRs: The Nexcorium Threat
One primary focus of the current exploitation efforts targets TBK DVR devices, specifically leveraging a medium-severity command injection vulnerability identified as CVE-2024-3721 (CVSS score: 6.3). This flaw impacts TBK DVR-4104 and DVR-4216 digital video recording devices, providing attackers a gateway to inject and execute arbitrary commands on the vulnerable systems. According to Fortinet FortiGuard Labs, the exploitation of this particular vulnerability leads to the deployment of a new Mirai variant dubbed Nexcorium.
The attack chain for Nexcorium begins with threat actors exploiting CVE-2024-3721 to gain initial access. Once access is established, a downloader script is fetched and executed. This script is intelligently designed to detect the underlying Linux system’s architecture, ensuring that the appropriate botnet payload is delivered for maximum compatibility and operational success. Upon successful execution of the malware, a chilling message typically appears on the compromised device, boldly stating, "nexuscorp has taken control," signaling the complete usurpation of the device’s control by the attackers.
Fortinet’s analysis reveals that Nexcorium shares a striking architectural resemblance to previous Mirai variants. Its core components include a XOR-encoded configuration table initialization, a watchdog module designed to ensure the malware’s continuous operation by restarting it if terminated, and a robust DDoS attack module. This module equips Nexcorium with the capability to launch various types of DDoS assaults, including those utilizing UDP, TCP, and SMTP protocols, demonstrating its versatility in orchestrating disruptive cyberattacks.
Beyond the initial CVE-2024-3721 exploit, Nexcorium further enhances its reach by incorporating an exploit for CVE-2017-17215, specifically targeting Huawei HG532 devices within the victim’s network. This multi-pronged approach allows the botnet to propagate more widely across different device types. Moreover, Nexcorium is equipped with a list of hard-coded usernames and passwords, which it leverages in brute-force attacks against other hosts accessible from the compromised device via Telnet connections. Should a Telnet login prove successful, the malware attempts to obtain a shell, establish persistence using crontab entries and systemd services, and then connect to an external command-and-control (C2) server, awaiting instructions to launch DDoS attacks. A critical evasion tactic employed by Nexcorium is the deletion of the original downloaded binary once persistence is firmly established, making forensic analysis more challenging for security professionals.
Vincent Li, a security researcher at Fortinet, highlighted the broader implications of such attacks, stating, "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks." This statement underscores the systemic challenge posed by the vast and often insecure IoT landscape. Fortinet further elaborated on Nexcorium’s capabilities, noting that it "displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach."
A History of Exploitation: CVE-2024-3721 and Beyond
The exploitation of CVE-2024-3721 by Nexcorium is not an isolated incident. Over the past year, this specific vulnerability has been repeatedly abused in the wild by various threat actors. Previous campaigns have seen the flaw leveraged to deploy another Mirai variant, as well as a distinct and relatively newer botnet known as RondoDox. This pattern of sustained exploitation demonstrates the high value placed on this vulnerability by cybercriminals seeking to expand their botnet armies.
In September 2025, CloudSEK, another prominent cybersecurity firm, disclosed critical details about a large-scale "loader-as-a-service" botnet infrastructure. This sophisticated operation has been instrumental in distributing RondoDox, Mirai, and Morte payloads. The distribution mechanism primarily relies on exploiting weak credentials and old, unpatched flaws in a diverse array of devices, including routers, other IoT devices, and even enterprise applications. This "loader-as-a-service" model signifies a growing trend in the cybercrime ecosystem, where specialized services are offered to facilitate the deployment of malware, thereby lowering the barrier to entry for less technically proficient threat actors. The continuous re-exploitation of the same vulnerabilities, coupled with the emergence of new botnet variants like Nexcorium, highlights the urgent need for comprehensive patching strategies and improved security hygiene across the IoT landscape.
End-of-Life TP-Link Routers Under Siege: CVE-2023-33538
Parallel to the TBK DVR attacks, Palo Alto Networks Unit 42 has detected active, automated scanning and probing attempts targeting end-of-life (EoL) TP-Link wireless routers. These attacks specifically attempt to exploit CVE-2023-33538 (CVSS score: 8.8), a high-severity command injection vulnerability. While Unit 42’s analysis indicated that the observed in-the-wild exploitation attempts were flawed and did not result in successful compromises, the underlying vulnerability remains a serious concern. This flaw was deemed significant enough to be added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025, signaling its critical status and the urgent need for remediation or replacement of affected devices.
The vulnerability affects several models of TP-Link wireless routers that are no longer actively supported by the manufacturer. While the original reporting did not specify an exhaustive list of models, the critical aspect is their EoL status, meaning they will not receive future security patches. Researchers Asher Davila, Malav Vyas, and Chris Navarrete from Unit 42 confirmed the authenticity of the vulnerability, stating, "Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real." They further emphasized a crucial detail: successful exploitation of CVE-2023-33538 requires authentication to the router’s web interface. This requirement somewhat limits the attack surface but does not negate the risk, especially if default or easily guessable credentials are in use.
The attacks targeting these EoL TP-Link routers attempt to deploy a Mirai-like botnet malware. The source code of this malware contains numerous references to the string "Condi," suggesting a possible lineage or shared codebase with other known botnets. This Mirai-like variant is equipped with advanced capabilities, including the ability to update itself to newer versions, ensuring its longevity and adaptability. Furthermore, it can act as a web server, facilitating the spread of infection to other devices that connect to it, thereby acting as a pivot point for broader network compromise.
The Broader Landscape: Why IoT Devices Remain Prime Targets
The continuous targeting of devices like TBK DVRs and EoL TP-Link routers by Mirai variants highlights a systemic issue within the broader IoT landscape. The sheer volume and diversity of IoT devices, ranging from smart home gadgets to industrial sensors, present an enormous attack surface. Many of these devices are deployed with default credentials, receive infrequent or no security updates, and are often connected directly to the internet without adequate protective measures. This combination creates an ideal environment for botnet operators.
Mirai itself, first identified in 2016, revolutionized the botnet landscape by demonstrating the immense power that could be wielded by compromising common IoT devices. Its attacks, such as the record-breaking 1.2 Tbps DDoS attack against Dyn in October 2016, crippled major internet services and brought widespread attention to the vulnerabilities inherent in the rapidly expanding IoT ecosystem. Since then, numerous Mirai variants have emerged, each tailored to exploit specific new vulnerabilities or to evade detection, proving the botnet’s enduring adaptability.
The economic implications of such botnet activities are substantial. DDoS attacks can lead to significant downtime for businesses, resulting in lost revenue, reputational damage, and costly recovery efforts. For individual users, compromised IoT devices can lead to privacy breaches, increased internet usage due to malicious traffic, and even potential physical security risks if devices like cameras or smart locks are affected. The "loader-as-a-service" model mentioned by CloudSEK further democratizes cybercrime, making it easier for individuals with limited technical expertise to launch sophisticated attacks.
Mitigation and Recommendations: Securing the IoT Frontier
Given the persistent threat, proactive measures are paramount for both individual users and organizations. For devices like the affected TBK DVRs, users should immediately check for and apply any available firmware updates that address CVE-2024-3721. If no patches are available, or for EoL devices like the vulnerable TP-Link routers, the most stringent recommendation is to replace them with newer, actively supported models. Continuing to operate EoL devices poses an unacceptable security risk, as they will never receive critical security updates to address newly discovered vulnerabilities.
Beyond replacement and patching, several fundamental cybersecurity practices can significantly reduce the risk of compromise:
- Strong, Unique Passwords: Never use default credentials for any IoT device. Change passwords immediately upon setup and use strong, unique passwords for each device. Employing a password manager can facilitate this practice.
- Network Segmentation: Isolate IoT devices on a separate network segment or VLAN, away from critical IT infrastructure and personal computers. This limits the lateral movement of malware if an IoT device is compromised.
- Regular Firmware Updates: For supported devices, regularly check for and apply firmware updates. These updates often contain critical security patches that address known vulnerabilities.
- Disable Unnecessary Services: Turn off any features or services on IoT devices that are not actively used. This reduces the attack surface available to threat actors.
- Firewall Configuration: Ensure that network firewalls are properly configured to block unsolicited inbound connections to IoT devices and to filter outbound traffic for suspicious activity.
- Monitor Network Traffic: Implement network monitoring solutions to detect anomalous traffic patterns that might indicate a compromised device participating in a botnet.
- Physical Security: Secure IoT devices physically to prevent tampering or unauthorized access.
Unit 42 researchers provide a succinct warning that resonates across the entire IoT security landscape: "For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices. These credentials can turn a limited, authenticated vulnerability into a critical entry point for determined attackers." This statement underscores that even if a vulnerability requires authentication, weak or default credentials render that protection moot.
Conclusion: An Ongoing Battle for Digital Hygiene
The ongoing exploitation of TBK DVR and EoL TP-Link router vulnerabilities by Mirai botnet variants serves as a powerful testament to the relentless nature of cyber threats. It highlights the critical importance of lifecycle management for all connected devices, emphasizing that "set it and forget it" is a dangerous philosophy in the digital age. As the number of IoT devices continues to grow exponentially, the collective responsibility of manufacturers to produce secure devices, and users to maintain them, becomes increasingly vital. The battle against botnets like Mirai is an ongoing one, demanding constant vigilance, proactive security measures, and a commitment to digital hygiene to safeguard our interconnected world from the disruptive power of malicious actors.