A newly identified malware campaign has been observed exploiting a command injection flaw in digital video recorder (DVR) devices to deploy a Mirai-based botnet, according to analysis by FortiGuard Labs. The activity targets CVE-2024-3721 in TBK DVR systems, enabling attackers to gain access and install a multi-architecture Mirai variant malware known as Nexcorium.
Fortinet researchers found that the attack begins with crafted requests abusing vulnerable parameters to execute a downloader script, which retrieves malicious binaries for ARM, MIPS and x86-64 systems and then executes them with elevated permissions. Evidence within the attack traffic includes a custom HTTP header referencing “Nexus Team,” which analysts believe may point to a previously untracked threat actor.
Upon execution, the malware announces control of the compromised system, signalling a successful infection. The Nexcorium campaign is described as a precise illustration of why automated scanning alone cannot close the exposure gap, according to Trey Ford, chief strategy and trust officer at Bugcrowd.