Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

FortiGuard Labs analyzed an active campaign exploiting CVE-2024-3721 in TBK DVR devices to deploy a Mirai-variant botnet called Nexcorium; the report covers the exploit (including a custom “X-Hacked-By” HTTP header), a downloader that fetches multi-architecture payloads, the malware’s XOR-decoded configuration, brute-force Telnet scanning using a hard-coded credential list, persistence methods (inittab, rc.local, systemd, cron), a range of DDoS modules, C2 infrastructure (r3brqw3d.b0ats.top and listed IPs), file hashes, and Fortinet detections and mitigations.