Exploiting Critical Flaws: Mirai Variants Target TBK DVRs and End-of-Life TP-Link Routers, Fueling a Surge in IoT Botnet Activity.

A significant escalation in cyber threat activity has been identified, with malicious actors actively exploiting known security vulnerabilities in TBK DVR systems and end-of-life (EoL) TP-Link Wi-Fi routers. These exploits are facilitating the widespread deployment of sophisticated Mirai botnet variants onto compromised internet-of-things (IoT) devices, according to comprehensive findings released by cybersecurity research powerhouses Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The ongoing campaigns underscore the persistent and evolving danger posed by unpatched and unsupported IoT devices in the global cybersecurity landscape.

Understanding the Threat: The Mirai Botnet Phenomenon

The Mirai botnet, first identified in 2016, revolutionized the landscape of cyberattacks by demonstrating the immense power of compromised IoT devices. Its name, Japanese for "future," ironically foreshadowed its role in shaping the future of distributed denial-of-service (DDoS) attacks. Mirai operates by scanning the internet for IoT devices protected by factory default or weak credentials. Once identified, it exploits these vulnerabilities to infect the devices, turning them into "bots" that can be commanded to launch massive DDoS attacks against targeted websites or services.

The most infamous Mirai attack occurred in October 2016, when it launched an unprecedented assault on Dyn, a major DNS provider, effectively taking down large portions of the internet in the United States and Europe. The attack showcased the devastating potential of leveraging everyday devices like security cameras, DVRs, and routers for malicious purposes. Crucially, the source code for Mirai was publicly released shortly after this incident, leading to a proliferation of variants, each with its own modifications and preferred targets. This open-source availability has empowered a new generation of cybercriminals, enabling them to easily adapt and deploy their own versions of the botnet, constantly refining their tactics to evade detection and maximize impact. The current campaigns, involving variants like Nexcorium and Condi, are direct descendants of this original threat, demonstrating its enduring legacy and adaptability.

Exploitation of TBK DVR Devices: The Nexcorium Campaign

At the heart of one of the current campaigns is the exploitation of CVE-2024-3721, a medium-severity command injection vulnerability (CVSS score: 6.3) affecting TBK DVR-4104 and DVR-4216 digital video recording devices. This flaw allows attackers to inject malicious commands into the device’s system, granting them unauthorized control. Fortinet FortiGuard Labs has meticulously tracked this attack, identifying a Mirai variant dubbed Nexcorium as the primary payload delivered through this exploit.

According to Vincent Li, a security researcher at Fortinet, "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks." This statement highlights a critical vulnerability in the global digital infrastructure: the sheer volume of insecure IoT devices acts as a fertile ground for botnet expansion.

The exploitation process initiated by Nexcorium is highly sophisticated. Upon successful compromise via CVE-2024-3721, a downloader script is fetched and executed. This script is designed to assess the Linux system’s architecture, ensuring the correct botnet payload is deployed. Once the Nexcorium malware is active, it conspicuously displays a message stating "nexuscorp has taken control," a chilling digital signature of the compromise.

Fortinet’s analysis reveals that Nexcorium shares a similar architectural blueprint with other Mirai variants. This includes critical features such as XOR-encoded configuration table initialization, a robust watchdog module designed to maintain the malware’s presence by preventing its termination, and a potent DDoS attack module capable of launching various types of denial-of-service assaults. The malware’s capabilities extend beyond direct exploitation; it also incorporates an exploit for CVE-2017-17215, specifically targeting Huawei HG532 devices within the network. Furthermore, Nexcorium is equipped with a hard-coded list of usernames and passwords, which it leverages to conduct brute-force attacks against other hosts on the victim’s network by attempting Telnet connections.

Should a Telnet login prove successful, Nexcorium immediately attempts to obtain a shell, establishing persistence on the compromised device through the manipulation of crontab entries and systemd services. This ensures that the malware will automatically restart even if the device is rebooted. Once persistence is secured, the malware connects to an external command-and-control (C2) server, patiently awaiting instructions to launch DDoS attacks, typically over UDP, TCP, and SMTP protocols. In a clever move to hinder forensic analysis, the malware deletes its original downloaded binary after establishing persistence, making it more challenging for security professionals to trace its initial infection vector.

Fortinet researchers concluded, "The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach."

A History of Exploitation: CVE-2024-3721’s Troubled Past

It is important to note that CVE-2024-3721 is not a newly discovered vulnerability in the wild. Over the past year, this specific security flaw has been repeatedly exploited by various threat actors. Previous campaigns have leveraged it to deploy other Mirai variants, as well as a distinct and relatively new botnet known as RondoDox. In September 2025, CloudSEK, another prominent cybersecurity firm, further corroborated these trends by disclosing details of a large-scale "loader-as-a-service" botnet infrastructure. This infrastructure was observed distributing a diverse array of payloads, including RondoDox, Mirai, and Morte malware, primarily through the exploitation of weak credentials and older, unpatched flaws in routers, various IoT devices, and enterprise applications. This pattern of recurring exploitation highlights the critical need for immediate patching and robust security practices, especially for devices connected to the internet.

The Peril of End-of-Life TP-Link Routers: The Condi Connection

Adding another layer to the complex tapestry of IoT botnet threats, Palo Alto Networks Unit 42 has reported active, automated scans and probes specifically targeting CVE-2023-33538. This vulnerability, boasting a higher CVSS score of 8.8, is a command injection flaw impacting several end-of-life (EoL) TP-Link wireless router models. While Unit 42 observed that the in-the-wild exploitation attempts were, for the most part, flawed and did not consistently result in successful compromises, their analysis definitively confirms the underlying vulnerability’s reality and severity.

The gravity of CVE-2023-33538 was further underscored in June 2025, when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog. Inclusion in the KEV catalog signifies that a vulnerability is deemed a significant risk and is actively being exploited by threat actors, compelling federal agencies to patch it immediately. The affected TP-Link models, while no longer actively supported by the manufacturer, remain in widespread use globally, making them prime targets for opportunistic attackers. These include specific versions of the TL-WR841N, TL-WR840N, TL-WR740N, and TL-WR741ND, among others.

Researchers Asher Davila, Malav Vyas, and Chris Navarrete from Unit 42 stated, "Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real. Successful exploitation requires authentication to the router’s web interface." This authentication requirement explains why many automated attempts might fail if default credentials have been changed or if the attacker lacks prior access. However, the presence of countless devices still operating with default or easily guessable credentials creates a vast attack surface.

The attacks targeting these EoL TP-Link devices aim to deploy a Mirai-like botnet malware, with its source code containing numerous references to the string "Condi." This Condi botnet variant possesses advanced capabilities, including the ability to update itself with newer versions, ensuring its longevity and adaptability. Furthermore, it can act as a web server, enabling it to spread the infection to other devices that connect to the compromised router, creating a self-propagating infection vector within local networks.

Given that these TP-Link devices have reached their end-of-life, meaning they no longer receive security updates or technical support from the manufacturer, users are strongly advised to replace them with newer, actively supported models. Crucially, ensuring that default credentials are never used is a fundamental security measure that could prevent a multitude of such compromises. Unit 42 emphasized, "For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices. These credentials can turn a limited, authenticated vulnerability into a critical entry point for determined attackers."

The Broader Landscape of IoT Vulnerabilities and "Loader-as-a-Service"

These recent campaigns against TBK DVRs and TP-Link routers are not isolated incidents but rather symptoms of a much larger and more concerning trend in cybersecurity. The rapid proliferation of IoT devices, from smart home gadgets to industrial sensors, has created an enormous attack surface. Many of these devices are brought to market with inadequate security measures, including weak default passwords, unpatched vulnerabilities, and a lack of mechanisms for automatic updates. Consumers, often unaware of these risks, rarely take steps to secure their devices, making them easy targets for botnet operators.

The emergence of "loader-as-a-service" infrastructures, as highlighted by CloudSEK, further exacerbates this problem. This illicit business model allows less technically skilled cybercriminals to rent access to botnet infrastructure, significantly lowering the barrier to entry for launching sophisticated attacks. These services provide ready-made malware loaders that can deploy various botnet payloads, including Mirai, RondoDox, and Morte, across a vast network of vulnerable devices. This commoditization of cybercrime tools means that the volume and frequency of IoT-based attacks are likely to continue their upward trajectory. The economics are simple: for a relatively small fee, an attacker can leverage a global network of compromised devices to launch DDoS attacks, distribute spam, or mine cryptocurrency, making it a highly attractive proposition for illicit activities.

Implications for Cybersecurity and Users

The implications of these ongoing Mirai botnet campaigns are far-reaching. For individuals, a compromised IoT device can lead to slow internet speeds, unauthorized access to home networks, and potential privacy breaches if devices like cameras are affected. For businesses, especially those relying on online services, DDoS attacks can result in significant financial losses due reputational damage, operational disruption, and recovery costs. Critical infrastructure, often reliant on interconnected IoT devices, faces an even graver threat, with potential for widespread outages and physical damage.

The consistent exploitation of known vulnerabilities, particularly in EoL devices, highlights a systemic failure in securing the IoT ecosystem. Manufacturers bear a responsibility to design devices with security in mind and provide long-term support. However, end-users also play a crucial role.

Recommendations and Best Practices

To mitigate the risks posed by these and future IoT botnet campaigns, a multi-faceted approach is essential:

1. Replace End-of-Life Devices: Users of TP-Link routers and other devices that are no longer supported by manufacturers should replace them immediately with newer models that receive regular security updates. Continuing to use EoL hardware is an open invitation for attackers.
2. Change Default Credentials: This is the most fundamental and critical step. Always change default usernames and passwords on all new IoT devices upon installation to strong, unique combinations.
3. Apply Security Updates: Regularly check for and install firmware updates for all IoT devices. Many manufacturers release patches for newly discovered vulnerabilities. Enable automatic updates if available.
4. Network Segmentation: For advanced users and businesses, segmenting IoT devices onto a separate network (e.g., a guest Wi-Fi network or a dedicated VLAN) can prevent them from accessing more sensitive parts of the main network, limiting the potential damage if they are compromised.
5. Use Strong, Unique Passwords: Employ a password manager to create and store strong, unique passwords for all online accounts and device interfaces.
6. Disable Unnecessary Services: Turn off any features or services on IoT devices that are not actively being used, such as remote access, UPnP, or Telnet, as these can provide additional attack vectors.
7. Monitor Network Traffic: Businesses and proactive individuals can use network monitoring tools to detect unusual outbound traffic from IoT devices, which could indicate a compromise.
8. Educate Yourself: Stay informed about common IoT vulnerabilities and best security practices. Resources from cybersecurity agencies like CISA and reputable security firms can provide valuable guidance.

The Future of IoT Security

The ongoing exploitation of vulnerabilities in TBK DVRs and EoL TP-Link routers serves as a stark reminder of the persistent and evolving nature of cyber threats targeting the burgeoning IoT landscape. As more devices become connected, the attack surface will only expand. The battle against botnets like Mirai, Nexcorium, and Condi is a continuous one, demanding vigilance, proactive security measures, and a collaborative effort from manufacturers, users, and cybersecurity researchers alike. Without a concerted focus on robust security-by-design principles, regular patching, and user education, the "future" envisioned by Mirai will continue to be one where everyday devices are weaponized, posing a significant threat to global digital infrastructure.