THE Hacker News reports that a Mirai variant named Nexcorium is exploiting CVE-2024-3721 to hijack TBK DVRs and turn infected devices into part of a DDoS botnet, with Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 identifying the activity. The CVE-2024-3721 flaw is a medium-severity command-injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, and the Nexcorium malware displays a label stating “nexuscorp has taken control” after dropping its downloader and payload.
Fortinet described Nexcorium as having an architecture similar to Mirai, including XOR-encoded configuration, a watchdog module, and a DDoS component, and notes that the malware also exploits CVE-2017-17215 to target Huawei HG532 devices, along with brute-force attempts using hard-coded credentials. The report also mentions that Unit 42 observed automated CVE-2023-33538 scans in the wild, and that the affected TP‑Link devices are out of support, urging replacements and the removal of default credentials.
According to the researchers, Nexcorium combines vulnerability exploitation, multi-architecture support, and persistence methods to sustain access and coordinate attacks over UDP, TCP, and SMTP.