Mirai Variant 'Nexcorium' Actively Exploits CVE-2024-3721, Building DDoS Botnet from TBK DVRs

A new and aggressive variant of the Mirai botnet, dubbed 'Nexcorium,' is actively exploiting a critical vulnerability in TBK DVR devices to assemble a powerful DDoS army. The malware is targeting CVE-2024-3721, a command injection flaw that allows attackers to execute arbitrary code on vulnerable devices. This campaign represents a significant escalation in the weaponization of Internet of Things (IoT) hardware, turning everyday security cameras into nodes in a distributed denial-of-service network.

The source of the attack is a modified Mirai codebase, Nexcorium, which has been observed scanning for and compromising TBK DVR models. Once infected, these devices are conscripted into a botnet capable of launching large-scale DDoS attacks. The exploitation is not theoretical; it is happening in real-time, with the botnet actively growing. The vulnerability's public disclosure has provided a roadmap for malicious actors, turning a patchable flaw into an immediate operational threat.

This development signals intense pressure on both device manufacturers and network defenders. The persistence of Mirai-based threats underscores the critical risk posed by unpatched, internet-facing IoT equipment. Organizations and individuals using TBK DVRs, or similar devices, face an elevated threat of being compromised and leveraged in attacks against third parties. The situation demands urgent scrutiny of network perimeters and highlights the cascading consequences of delayed patching cycles in the consumer and enterprise IoT landscape.