Nexcorium
Nexcorium is a Mirai-based, multi-architecture Linux IoT botnet malware family observed in campaigns exploiting CVE-2024-3721, an unauthenticated OS command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recorders. Fortinet linked the activity to a suspected actor it calls "Nexus Team," based on exploit traffic containing the custom HTTP header "X-Hacked-By: Nexus Team – Exploited By Erratic." After exploitation of the vulnerable /device.rsp endpoint and manipulation of request arguments, attackers deliver a downloader script named "dvr," which retrieves architecture-specific payloads such as "nexuscorp" binaries for ARM, MIPS/MIPS R3000, and x86-64 systems, sets execution permissions, and launches them. On execution, samples were reported to display the message "nexuscorp has taken control." Nexcorium shares core Mirai-style architecture, including XOR-encoded configuration data, watchdog, scanner, and attacker/DDoS modules, and command-and-control communications used to receive operator instructions and launch attacks. Reported DDoS capabilities include UDP flood, TCP SYN flood, TCP ACK flood, TCP generic flood, TCP PSH flood, TCP URG flood, SMTP flood, UDP blast flood, and VSE query flood; the malware also supports commands such as "killattk" and "botkill." Nexcorium establishes persistence through multiple mechanisms: modifying /etc/inittab, creating or updating /etc/rc.local, creating /etc/systemd/system/persist.service, adding crontab entries, and in some reporting copying itself to /usr/local/bin/sysd. It includes a watchdog process, performs self-integrity checks using FNV-1a hashing of its executable via /proc/self/exe, can replicate itself under a new filename if tampering is detected, and deletes its original binary from the current execution path to hinder analysis. For propagation, Nexcorium uses Telnet brute forcing with a hard-coded list of common/default credentials, verifies shell access with commands such as system, shell, sh, and cat /bin/busybox, determines victim architecture, and deploys the appropriate binary. It also contains embedded exploit code for CVE-2017-17215 targeting Huawei HG532 devices, and reporting also notes targeting of older Huawei devices and end-of-life TP-Link routers as part of broader mixed-device botnet expansion. The malware’s primary purpose is to conscript vulnerable IoT devices into a botnet for large-scale distributed denial-of-service attacks. High-confidence indicators mentioned in the content include the C2 domain r3brqw3d.b0ats.top, associated IPs 84.200.87.36 and 176.65.148.186, and the following SHA-256 hashes: 696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35, 37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21, e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c, 0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe, 9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf, 95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7, 7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734, 838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696, 2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74, 29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b, b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678, 721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5, and 89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Meanwhile, Fortinet’s FortiGuard Labs detailed a parallel campaign by a group calling itself “Nexus Team,” which has been targeting TBK digital video recorders (DVNs) via CVE-2024-3721. Their malware, called “Nexcorium”, is more sophisticated. | Fortinet’s FortiGuard Labs detailed a parallel campaign by a group calling itself “Nexus Team,” which has been targeting TBK digital video recorders (DVNs) via CVE-2024-3721. Their malware, called “Nexcorium”, is more sophisticated.
And, interestingly, it comes bundled with an exploit targeting older Huawei devices via CVE-2017-17215. | Meanwhile, Fortinet’s FortiGuard Labs detailed a parallel campaign by a group calling itself “Nexus Team,” which has been targeting TBK digital video recorders (DVNs) via CVE-2024-3721. Their malware, called “Nexcorium”, is more sophisticated.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Meanwhile, Fortinet’s FortiGuard Labs detailed a parallel campaign by a group calling itself “Nexus Team,” which has been targeting TBK digital video recorders (DVNs) via CVE-2024-3721. Their malware, called “Nexcorium”, is more sophisticated.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
The same threat actor was also observed probing TP-Link Archer AX21 devices via CVE-2023-1389 and ZTE ZXV10 H108L routers with a publicly available exploit. Meanwhile, Fortinet’s FortiGuard Labs detailed a parallel campaign by a group calling itself “Nexus Team,” which has been targeting TBK digital video recorders (DVNs) via CVE-2024-3721.
Execution
5 techniques
Execution
Nexcorium ensures persistence through multiple methods: it modifies /etc/inittab to restart automatically, updates /etc/rc.local for startup execution, creates a systemd service, and adds a cron job.
Finally, it creates a scheduled task using crontab to ensure it runs after reboot.
Attackers exploit CVE-2024-3721, a command injection flaw, to compromise devices and turn them into bots for DDoS attacks.
Persistence
6 techniques
Persistence
It updates /etc/inittab to make sure the process restarts if it stops. It creates or updates /etc/rc.local to ensure execution at system startup.
It creates or updates /etc/rc.local to ensure execution at system startup.
Nexcorium ensures persistence through multiple methods: it modifies /etc/inittab to restart automatically, updates /etc/rc.local for startup execution, creates a systemd service, and adds a cron job.
Finally, it creates a scheduled task using crontab to ensure it runs after reboot.
Privilege Escalation
6 techniques
Privilege Escalation
It updates /etc/inittab to make sure the process restarts if it stops. It creates or updates /etc/rc.local to ensure execution at system startup.
It creates or updates /etc/rc.local to ensure execution at system startup.
Nexcorium ensures persistence through multiple methods: it modifies /etc/inittab to restart automatically, updates /etc/rc.local for startup execution, creates a systemd service, and adds a cron job.
Finally, it creates a scheduled task using crontab to ensure it runs after reboot.
Stealth
6 techniques
Stealth
If it is not running from /usr/local/bin/, it copies itself to /usr/local/bin/sysd and proceeds to establish persistence through multiple mechanisms.
If the file on disk has been altered or is no longer readable, perhaps due to a partial deletion or antivirus interference, the malware dynamically copies itself under a new filename to restore its own presence.
And, after doing all that, it deletes its original binary from the current execution path to evade and frustrate analysis.
Once inside a system, it verifies the device architecture, executes commands, and establishes persistence by copying itself into system directories.
Defense Impairment
1 technique
Defense Impairment
The script sets the permissions of the retrieved malware to 777 and runs it... If the original file is missing, unreadable, or its hash does not match, the malware creates a duplicate under a different filename and sets the file permissions to 700.
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet malware family targeting Linux-based IoT devices. It supports multiple Linux architectures, establishes persistence through several mechanisms including inittab, rc.local, systemd service creation, and crontab, deletes its original binary to hinder analysis, and can launch DDoS attacks using multiple methods.
Nexcorium is a Mirai-based IoT botnet malware that exploits vulnerable TBK DVRs and TP-Link routers, establishes persistence, communicates with a C2 server, performs binary integrity checks, uses a watchdog process to stay running, and launches large-scale DDoS attacks. It also propagates via Telnet brute-force using default credentials.
A Mirai variant used to infect vulnerable IoT devices, establish persistent malware presence, and enable large-scale attacks including DDoS activity.
A Mirai-like multi-architecture IoT botnet malware used to infect TBK DVRs and outdated TP-Link routers, establish persistence, brute-force Telnet access, exploit additional device vulnerabilities, and receive C2 commands to launch DDoS attacks such as UDP and TCP floods.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.