Internet of Things (IoT) devices are again at the center of large-scale cyber campaigns. Security researchers report that new Mirai-derived botnets are actively exploiting vulnerabilities in TBK digital video recorders (DVRs) and end-of-life TP-Link Wi‑Fi routers to build powerful distributed denial-of-service (DDoS) infrastructures.
Mirai-Inspired Nexcorium Botnet Exploits TBK DVR CVE-2024-3721
According to Fortinet FortiGuard Labs, attackers are abusing CVE-2024-3721 (CVSS 6.3) in TBK DVR‑4104 and DVR‑4216 devices. The flaw is a classic command injection vulnerability in embedded firmware, allowing remote execution of arbitrary commands on the DVR without user interaction.
Exploitation of CVE-2024-3721 begins with downloading a lightweight loader script to the compromised DVR. That script then fetches and executes a malware binary compiled for the device’s specific Linux architecture (for example, MIPS or ARM). After successful deployment, the malware prints the message “nexuscorp has taken control”, indicating that the host has been enrolled into a new IoT botnet identified as Nexcorium.
Technical analysis shows that Nexcorium closely mirrors the original Mirai codebase. It uses an XOR-encoded configuration to hinder static analysis, incorporates a watchdog component to keep the bot running, and provides extensive DDoS attack capabilities. These architectural traits are typical of modern IoT botnets optimized for long-term, automated control over large fleets of devices.
Lateral Movement via Huawei HG532 and Telnet Brute-Force
Fortinet researchers highlight that Nexcorium embeds an exploit for the older vulnerability CVE-2017-17215, which targets legacy Huawei HG532 home routers. Compromised TBK DVRs effectively function as a pivot point, scanning and attacking vulnerable routers within the same network or on the wider internet.
Beyond direct exploits, Nexcorium also performs Telnet brute-force attacks using a hard-coded list of weak and default login/password combinations. Once a device is accessed via Telnet, the malware establishes persistence (for example, via crontab and systemd entries), then connects to a command-and-control (C2) server. From there, operators can instruct the bot to launch DDoS attacks over UDP, TCP, and even SMTP, enabling a wide range of disruption scenarios. To complicate forensics, the malware deletes the initially downloaded binary after installation, a common tactic in IoT botnet operations.
Loader-as-a-Service: RondoDox, Mirai and Morte
Earlier research from CloudSEK indicates that CVE-2024-3721 is not used exclusively by Nexcorium operators. The same TBK DVR vulnerability has been leveraged to distribute other malware families, including the emerging RondoDox botnet, as well as various Mirai and Morte variants.
CloudSEK analysts describe an evolving “loader-as-a-service” ecosystem, in which cybercriminals rent access to pre-built loader infrastructures. These loaders are designed to exploit weak passwords and unpatched vulnerabilities in routers, IoT devices and enterprise applications, and then drop whichever botnet payload the customer chooses. This botnet-as-a-service model drastically lowers the barrier to entry: attackers no longer need to develop malware themselves, but can instead focus on monetization via DDoS extortion, traffic resale or further intrusions.
TP-Link CVE-2023-33538 Under Fire: Condi Mirai-Like Botnet
In parallel, Palo Alto Networks Unit 42 has observed automated scanning and attempted exploitation of CVE-2023-33538 (CVSS 8.8) in several end-of-life TP-Link routers. This is another command injection issue in the web-based management interface, potentially granting full remote control of the device.
Unit 42 notes that most in-the-wild exploit attempts are currently flawed and do not reliably achieve compromise. However, the underlying vulnerability is confirmed, and correct exploitation would provide significant leverage to attackers. Importantly, valid authentication to the router’s web panel is required, but on devices left with factory-default credentials, this barrier is minimal.
The objective of these attacks is to deploy a Mirai-like malware strain that prominently references “Condi” in its source code. The Condi botnet can self-update to newer versions and even operate as a web server to infect additional devices that connect to it, effectively turning each compromised router into a propagation node. In June 2025, CVE-2023-33538 was added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), underscoring the risk to users of unsupported TP-Link models that no longer receive security patches.
Why IoT Devices Remain Ideal Targets for DDoS Botnets
Industry experience shows that a combination of massive IoT deployment, infrequent firmware updates and widespread use of default passwords makes cameras, DVRs and home routers highly attractive to botnet operators. Vulnerabilities that are formally “authenticated only” become de facto critical entry points when devices ship with hard-coded or well-known credentials that are never changed.
The original Mirai botnet, which powered record-breaking DDoS attacks against DNS providers and major online services in 2016, demonstrated how a single codebase can have long-lasting impact. Since Mirai’s source code was leaked, numerous forks and derivatives have appeared, each adapting to new vulnerabilities and device types. Nexcorium, Condi and RondoDox are the latest links in this ongoing evolution, confirming that IoT botnets remain a persistent and adaptive threat.
For organizations and home users running TBK DVRs, TP-Link routers and other IoT equipment, these incidents should serve as a call to action. Devices with end-of-life (EoL) status should be replaced with supported models, firmware must be updated regularly, unused services such as Telnet should be disabled, and all default credentials replaced with strong, unique passwords. Network segmentation, restricted management access (for example, limiting admin interfaces to internal subnets or VPN), and continuous monitoring for anomalous traffic can significantly reduce the blast radius of a compromise. Investing in basic IoT hygiene today is one of the most effective ways to prevent your infrastructure from becoming part of the next Mirai-scale DDoS botnet tomorrow.
