Threat actors are actively taking advantage of security weaknesses in TBK digital video recorders and outdated TP-Link Wi-Fi routers to install variants of the Mirai botnet on compromised systems. This activity has been documented by researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
One of the primary attack vectors involves the exploitation of CVE-2024-3721, a command injection vulnerability with a CVSS score of 6.3, classified as medium severity. This flaw affects TBK DVR-4104 and DVR-4216 devices and is being used to deliver a Mirai-based malware strain identified as Nexcorium.
Security researchers note that IoT devices continue to be heavily targeted because they are widely deployed, frequently lack timely security updates, and are often configured with weak protections. These conditions allow attackers to exploit known vulnerabilities to gain initial access, deploy malicious code, maintain persistence, and ultimately use infected devices to conduct distributed denial-of-service attacks.
This vulnerability has already been observed in previous attack campaigns. Over the past year, it has been used not only to deploy Mirai variants but also a newer botnet known as RondoDox. In addition, earlier reporting highlighted large-scale botnet operations distributing multiple malware families, including Mirai, RondoDox, and Morte, by exploiting weak credentials and outdated vulnerabilities across routers, IoT devices, and enterprise systems.
In the current attack chain described by Fortinet, exploitation of CVE-2024-3721 allows attackers to download a script onto the target device. This script then determines the system’s Linux architecture and retrieves a compatible botnet payload. Once executed, the malware displays a message indicating that the system has been taken over.
Technical analysis shows that Nexcorium follows a structure similar to traditional Mirai variants. It includes encoded configuration tables, a watchdog mechanism to keep the malware active, and dedicated modules for launching DDoS attacks.
The malware also integrates an exploit for CVE-2017-17215, enabling it to target Huawei HG532 devices within the same network. Additionally, it uses a hard-coded list of usernames and passwords to attempt brute-force logins on other systems via Telnet connections.
If these login attempts succeed, the malware gains shell access, establishes persistence using scheduled tasks and system services, and connects to an external command-and-control server. From there, it waits for instructions to launch attacks using protocols such as UDP, TCP, and SMTP. After securing persistence, it deletes the original binary file to reduce the likelihood of detection and analysis.
Researchers describe Nexcorium as representative of modern IoT botnets, combining multiple techniques such as vulnerability exploitation, multi-architecture support, and persistence mechanisms to maintain long-term control over infected devices. Its use of both older vulnerabilities and brute-force tactics highlights its ability to adapt and expand its reach.
Separately, Unit 42 identified automated scanning activity attempting to exploit another vulnerability, CVE-2023-33538, which has a higher CVSS score of 8.8. This flaw affects several end-of-life TP-Link routers, including TL-WR940N (v2 and v4), TL-WR740N (v1 and v2), and TL-WR841N (v8 and v10). While the observed attack attempts were incorrectly executed and did not succeed, the vulnerability itself remains valid.
This vulnerability was added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency in June 2025, reflecting its relevance in real-world threat activity. Researchers emphasize that successful exploitation requires authenticated access to the router’s web interface, which can often be achieved if default credentials are still in use.
The attacks linked to this vulnerability are designed to deploy Mirai-like malware containing references to “Condi” within its source code. This malware is capable of updating itself to newer versions and can also operate as a web server, allowing it to spread to additional devices that connect to the infected system.
Because the affected TP-Link routers are no longer supported by the manufacturer, users are advised to replace them with newer devices. Security experts also stress the importance of changing default login credentials, as these remain a major weakness that attackers continue to exploit.
Researchers warn that the continued use of default credentials in IoT environments will remain a persistent security risk. Even vulnerabilities that require authentication can become critical entry points if weak or unchanged credentials are present, enabling attackers to compromise devices and expand botnet networks with relative ease.
