Threat actors are currently exploiting security vulnerabilities in TBK DVR devices and end-of-life TP-Link routers to deploy Nexcorium and Condi, which are variants of the Mirai botnet. Using command injection flaws such as CVE-2024-3721 and CVE-2023-33538, attackers gain initial access to deliver malware capable of launching large-scale DDoS attacks. These campaigns underscore the persistent risk posed by unpatched IoT devices and legacy hardware that no longer receive security updates.
Technical analysis reveals that the Nexcorium variant employs XOR-encoded configurations and automated brute-force attacks against Telnet services to expand its reach. Once a device is compromised, the malware establishes persistence through crontab and systemd before deleting its original binary to evade detection. Cybersecurity researchers recommend replacing unsupported hardware and securing default credentials to mitigate these automated exploitation attempts.
Top comments (0)