{
  "name": "Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign",
  "slug": "tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign",
  "description": "Nexcorium is a multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to build a botnet for distributed denial-of-service attacks. The campaign, attributed to Nexus Team based on custom HTTP headers, uses OS command injection to deliver malware across ARM, MIPS, and x86-64 architectures. The malware implements multiple persistence mechanisms including init configuration, startup scripts, systemd services, and cron jobs. It features XOR-encoded configurations, self-integrity checks, and self-replication capabilities. Attack capabilities include UDP flood, TCP SYN flood, TCP ACK flood, and VSE query flood among others. The botnet spreads through brute-force attacks using default credentials and exploits CVE-2017-17215 targeting Huawei HG532 devices, demonstrating typical IoT-focused botnet characteristics.",
  "published": "2026-04-17T16:56:13+00:00",
  "created_at": "2026-04-17T16:56:13+00:00",
  "modified_at": "2026-04-20T08:52:27+00:00",
  "created_at_opencti": "2026-04-17T16:56:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-17",
    "CVE-2017-17215",
    "CVE-2024-3721",
    "credential brute-force",
    "ddos attacks",
    "iot botnet",
    "mirai",
    "mirai variant",
    "multi-architecture",
    "nexcorium",
    "persistence mechanisms",
    "tbk dvr exploitation"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "176.65.148.186"
      },
      {
        "id": "",
        "name": "838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696"
      },
      {
        "id": "",
        "name": "37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21"
      },
      {
        "id": "",
        "name": "89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400"
      },
      {
        "id": "",
        "name": "29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b"
      },
      {
        "id": "",
        "name": "696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35"
      },
      {
        "id": "",
        "name": "e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c"
      },
      {
        "id": "",
        "name": "721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5"
      },
      {
        "id": "",
        "name": "b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678"
      },
      {
        "id": "",
        "name": "2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74"
      },
      {
        "id": "",
        "name": "0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe"
      },
      {
        "id": "",
        "name": "9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf"
      },
      {
        "id": "",
        "name": "95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7"
      },
      {
        "id": "",
        "name": "7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734"
      }
    ],
    "malware": [
      {
        "id": "5fdcf97f-0489-477b-a5df-c662e5fc5579",
        "name": "Mirai",
        "slug": "mirai"
      },
      {
        "id": "legacy:malware:abb63bb4417c6242",
        "name": "Nexcorium",
        "slug": "nexcorium"
      }
    ],
    "intrusion_sets": [
      {
        "id": "32ecfaf3-7986-4ceb-9d2c-eae5de9679e9",
        "name": "Nexus Team",
        "slug": "nexus-team"
      }
    ],
    "attack_patterns": [
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "52279b3d-8158-4964-8c20-9094308fcd03",
        "name": "T1110.001"
      },
      {
        "id": "69e8a847-4a5e-45e3-a8c7-535cb6e95e81",
        "name": "T1574.011"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "599730ac-b3e7-4d12-b633-c8e72ed71138",
        "name": "T1498.001"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "894026fa-e537-4b95-b612-7dd8bc367a0d",
        "name": "T1078.001"
      },
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "75b30f91-dcca-43a8-be70-9d50aed83203",
        "name": "T1498.002"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "e0204523-8122-4143-a774-7a3a1a81dc38",
        "name": "T1053.003"
      },
      {
        "id": "2c3d4267-2bae-41ae-8486-5876953a1748",
        "name": "T1129"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2017-17215"
      },
      {
        "id": "",
        "name": "CVE-2024-3721"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "r3brqw3d.b0ats.top"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69e2824d25c0dbc3e1de156b",
    "https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign"
  ]
}