惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
C
Cisco Blogs
The Hacker News
The Hacker News
T
Threatpost
S
Schneier on Security
K
Kaspersky official blog
Spread Privacy
Spread Privacy
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
NISL@THU
NISL@THU
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
Security Latest
Security Latest
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News and Events Feed by Topic
爱范儿
爱范儿
P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
GbyAI
GbyAI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
T
Tenable Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
C
Cyber Attacks, Cyber Crime and Cyber Security
N
News and Events Feed by Topic
V
V2EX
Webroot Blog
Webroot Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Blog — PlanetScale
Blog — PlanetScale
M
MIT News - Artificial intelligence
Scott Helme
Scott Helme
Simon Willison's Weblog
Simon Willison's Weblog
L
LangChain Blog
W
WeLiveSecurity
Cloudbric
Cloudbric

Fortinet All Blogs

The TTF Trap: A Global Campaign of a Low-Detection Lua Loader | FortiGuard Labs Helping Law Enforcement Keep Pace with the Future of Cybercrime | Fortinet Blog FortiEndpoint Expands Security for the AI Era | Fortinet Blog Cyber Attacks Leveraging AI Require Behavior-First Security Training, Not Simply Better Awareness | Fortinet Blog The AI Era Needs a New SASE. Here’s What That Actually Looks Like. | Fortinet Blog Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula | FortiGuard Labs Update on Fortinet Use of Frontier AI | CISO Collective Fortinet Supports INTERPOL Operation CyberProtect III Targeting Online Exploitation From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach | FortiGuard Labs Fortinet Launches Its Product Carbon Footprint Calculator FortiSASE Training Builds Skills for Secure Access Success | Fortinet Blog Analysis of Reported Credential Compromise of FortiGate Devices | Fortinet Blog Teaching Cybersecurity the Way It’s Actually Used | Fortinet Blog Introducing FortiSOC: One Platform, Total Control | Fortinet Blog Public-Private Cooperation Is Critical to AI-Driven Cyber Defense | Fortinet Advancing Threat-Informed Defense through Fortinet’s Collaboration with MITRE CTID | Fortinet Threat Actors Weaponize AI Hype to Deliver AsyncRAT | FortiGuard Labs Fortinet Achieves 1 Million People Trained in Cybersecurity Goal Ahead of Schedule | Fortinet Blog While OT Security Is Maturing, Risk Is Not Slowing Down | Fortinet Blog AI Policy Meets Operational Reality: White House AI Cybersecurity Order Calls for Public-Private Coordination | Fortinet Blog Executive Q&A: Strong Q1 Momentum Driven by Differentiated Innovation and Customer Demand | Fortinet Fortinet Earns AV-Comparatives Certification for EDR Detection Visibility | Fortinet Blog Cybercriminals Are Targeting the FIFA World Cup 2026 | FortiGuard Labs Fortinet Achieves AV-Comparatives Certification for Process Injection Protection | Fortinet Blog Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs Battling AI-Based Threats with FortiNDR | Fortinet Blog Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data Defending Critical Infrastructure: Why OT Security Demands a Threat-Informed Approach | CISO Collective Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise | FortiGuard Labs Fortinet Expands Cybersecurity Investment in the United Arab Emirates | Fortinet Blog PureLogs: Delivery via PawsRunner Steganography | FortiGuard Labs The Future of Connectivity | Fortinet Blog Fortinet at the World Economic Forum: Frontier AI models, AI-Driven Threats, Deepfakes, and the Future of Cyber Defense | Fortinet Blog The Fortinet 2025 Sustainability Report | Fortinet Blog Supercharged Security: Security in the Time of Mythos | CISO Collective AI Security Is an Architectural Decision | Fortinet Blog Fortinet Training Institute Wins Industry Accolades | Fortinet Blog Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog Leading by Example in Sustainability: Fortinet Expands Global EPD Certification | Fortinet Blog When Cybercrime Becomes an Industry | Fortinet Blog FortiOS 8.0: Redefining Secure Networking in the AI and Quantum Era | Fortinet Blog Securing the Physical World as It Comes Online | Fortinet Blog Why the 2026 AI Cybersecurity Summit Matters | Fortinet Blog DPRK-Related Campaigns with LNK and GitHub C2 | FortiGuard Labs AI Is Changing Application Threats Faster Than Teams Can Adapt | Fortinet Blog Announcing the Fortinet Training Institute’s 2026 ATC Award Winners | Fortinet Blog Disrupting Cybercrime Networks at Scale Requires Sustained Global Collaboration | Fortinet Blog
Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs
Vincent Li · 2026-04-17 · via Fortinet All Blogs

Affected Platforms: TBK DVR-4104, DVR-4216
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.

FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium. By examining the infection chain, persistence mechanisms, and attack capabilities, we offer insights into the operational behavior of the associated threat actor and its potential impact on targeted environments.

Incidents

The threat actors delivered a downloader script by exploiting CVE-2024-3721, an OS command injection vulnerability in TBK DVR devices through manipulation of the mdb / mdc arguments.

Figure 1: Exploit traffic via CVE-2024-3721

The exploit features a custom HTTP header, “X-Hacked-By,” with the value “Nexus Team – Exploited By Erratic.” Based on this artifact, we think the activity is likely linked to a threat actor, which we suggest identifying as “Nexus Team.” However, this actor is not widely known.

The downloader script, called dvr, fetches malware samples with filenames starting with nexuscorp and targets multiple Linux architectures, including ARM, MIPS R3000, and x86-64 (AMD64). The script sets the permissions of the retrieved malware to 777 and runs it with an argument that indicates the exploited device on the victim host.

Figure 2: Downloader shell script “dvr”

Malware Analysis

This analysis is based on the “nexuscorp.x86” sample. Upon execution, the malware shows the string “nexuscorp has taken control.”

Figure 3: Display string after execution

Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module.

The malware first performs XOR decoding to extract its embedded configuration, which includes C2 server domain and port, persistence-related shell commands, a hard-coded brute-force wordlist, DDoS attack commands retrieved from the C2 server, and embedded exploit code.

Figure 4: XOR-Encoded configuration with the key 0x13

Figure 5: XOR-Encoded configuration with the key 0xFD

Nexcorium shares an architecture similar to other Mirai variants. It consists of three core modules: watchdog, scanner, and attacker. The watchdog component uses the string NXS_WD_CHILD as a sub-process role marker to distinguish watchdog-spawned child processes.

Figure 6: Watchdog subprocess role marker

Nexcorium performs self-integrity checks by first storing executive arguments in global variables and retrieving the current execution path from /proc/self/exe. It calculates the hash of the executable file using the FNV-1a algorithm. If the original file is missing, unreadable, or its hash does not match, the malware creates a duplicate under a different filename and sets the file permissions to 700.

Figure 7: Self-replication

Notably, the malware includes an exploit for CVE-2017-17215, targeting Huawei HG532 devices. This is also commonly seen in other Mirai variants.

Figure 8: XOR-Encoded CVE-2017-17215 exploit

The exploit is stored in table ID 23 and used in the scanner component. Once Nexcorium connects to the victim host, the module looks up the table, retrieves the CVE-2017-17215 payload, and sends a malicious packet.

Figure 9: Send CVE-2017-17215 exploit if the socket is established

Additionally, the malware contains a hard-coded username and password list used for brute-force attacks. Most entries include default credentials.

ubuntuguestsupportdefault
12345123456changemehikvision
operator888888Administratormeinsm
7ujMko0adminadmin123admin1234admintest
comcomcommotorolapassworddaemon
OxhlwSG8S2fGqNFstlJwpbo6D-Link
netscreen7ujMko0vizxvGM8182Root1
Zte521antslqcat1029dreambox
grouterhg2x0huigu309ipcam_rt5350
jauntechsolokeyswsbzkgntaZz@23495859
tsgoingonvertex25ektks123xc3511xmhdipc
Zhongxingtelnettelnetadmin 

The malware scan involves the victim's hosts opening a Telnet connection. It then starts a brute-force attack using the previous wordlist. If Nexcorium successfully logs in, it executes commands to check if it gets a shell, including system, shell, sh, and cat /bin/busybox.

Figure 10: Execute shell command if Nexcorium successfully logs in via telnet

Once Nexcorium executes the command, it will parse and verify the victim host’s architecture using its hard-coded list.

Figure 11: Parsing the architecture information response from the victim host

The malware retrieves the actual execution path from /proc/self/exe again for persistence purposes. If it is not running from /usr/local/bin/, it copies itself to /usr/local/bin/sysd and proceeds to establish persistence through multiple mechanisms.

1. Init configuration

It updates /etc/inittab to make sure the process restarts if it stops.

Figure 12: Persistence method via /etc/inittab

2. Startup script

It creates or updates /etc/rc.local to ensure execution at system startup.

Figure 13: Persistence method via /etc/rc.local

3. Systemd service

It then checks common system paths (e.g., /bin/systemctl, /usr/bin/systemctl, and /etc/system/system) and creates a service file at /etc/systemd/system/persist.service, enabling it to run automatically at startup.

Figure 14: Persistence method via creating daemon

4. Cron job

It creates a scheduled task using crontab to ensure it runs after reboot.

Figure 15: Persistence method using crontab

After completing the persistence setup, the malware deletes its original binary from the current execution path to evade analysis.

Figure 16: Self-delete to evade anaysis

Based on the XOR-decoded configuration, Nexcorium supports multiple DDoS attack methods, including UDP flood, TCP ACK flood, TCP SYN flood, TCP generic flood, SMTP flood, TCP PSH flood, TCP URG Flag flood, UDP blast flood, and VSE query flood. It can stop ongoing DDoS attacks and terminate its own process as well.

CommandAttack IDDescription
udp0UDP Flood
ack10TCP ACK Flood
syn3TCP SYN Flood
std4TCP Generic Flood
stmp9SMTP Flood
psh5TCP PSH Flood
synd7TCP SYN Flood Variant
urg6TCP URG Flag Flood
udb8UDP Blast Flood
vse1VSE Query Flood
tcpa12TCP ACK + PSH Flood
killattk-Stop Attack
botkill-Kill Bot

The malware initializes its attack modules by allocating an array and adding the offset of each attack module to it. It then establishes a connection with the C2 domain r3brqw3d[.]b0ats[.]top and parses commands retrieved from the C2 server to launch subsequent attacks.

Figure 17: Attack method to parse commands from the C2 server

Conclusion

The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.

Additionally, its diverse range of DDoS attack vectors and centralized command-and-control communication indicate its primary role in coordinated attack campaigns. The use of customized exploit artifacts, such as the “X-Hacked-By” header, also provides valuable clues linking the activity to the suspected threat actor.

The continuous monitoring of vulnerability exploitation trends, along with proactive detection of malicious traffic and behavior patterns, remains essential for reducing similar threats targeting IoT and networked systems.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

BASH/Mirai.AEH!tr.dldr
ELF.Mirai.ATL!tr
ELF/Nexcorium.A!tr
ELF/Mirai.EGX!tr

The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running these products with up-to-date signatures are protected against the malware components described in this report.

The FortiGuard Web Filtering Service blocks the C2 server.

FortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:

CVE-2024-3721: 55717 TBK.DVR.SOSTREAMAX.Command.Injection

Organizations seeking to strengthen foundational security awareness might also consider completing Fortinet Certified Fundamentals (FCF) training in Cybersecurity.  This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT collaborations, MITRE, trusted industry partners, and other intelligence sources.

If you believe this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team for assistance.

IOCs

Hosts

84[.]200[.]87[.]36
176[.]65[.]148[.]186
r3brqw3d[.]b0ats[.]top

Files

Downloader
696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35

Nexcorium
37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21
e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c
0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe
9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf
95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7
7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734
838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696
2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74
29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b
b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678
721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5
89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400