NEXCORIUM , a Mirai variant, is exploiting a flaw in TBK DVR devices to infect IoT gear and recruit it into DDoS attacks, with FortiGuard Labs noting that the campaign also targets outdated TP-Link routers. According to FortiGuard Labs, the attackers exploit CVE-2024-3721, a command injection vulnerability, to deliver a downloader script that uses a custom “X-Hacked-By” header referencing “Nexus Team” and downloads malware samples labeled “nexuscorp” for Linux architectures such as ARM, MIPS and x86-64.
The downloader then grants full execution permissions and runs the payload, enabling infection across devices and expanding the botnet footprint. Analysis of the “nexuscorp.x86” sample reveals Nexcorium, a Mirai-like malware that uses XOR encoding for configuration data, including C2 details, persistence commands and DDoS instructions, and features watchdog, scanner and attack modules with a self-replication check.
Nexcorium also embeds exploits such as CVE-2017-17215 targeting Huawei devices and includes a large list of default credentials to brute-force Telnet access, while establishing persistence via edits to inittab, rc[.]local, a systemd service and a cron job. The researchers describe Nexcorium as having a modern IoT-focused botnet architecture with multi-architecture support and various persistence methods to sustain long-term access.