New Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks

The emergence of Nexcorium underscores a broader trend: Mirai‑style botnets are evolving beyond simple telnet‑based exploits to target a wider array of IoT hardware. By leveraging CVE‑2024‑3721, attackers gain remote code execution on DVRs that are rarely updated, turning security cameras into footholds for a distributed botnet. This shift reflects attackers’ focus on low‑maintenance, high‑visibility devices that sit on the edge of corporate networks, where traditional security controls are often lax.

Technically, Nexcorium is a multi‑architecture payload capable of running on ARM, MIPS and x86 platforms. It copies itself into multiple system directories, creates scheduled tasks for reboot persistence, and erases its original binaries to evade detection. A built‑in dictionary of over 60 default credentials enables rapid brute‑force attacks on neighboring routers, cameras and other smart devices, allowing the botnet to expand laterally within a building. The malware also reuses older exploits like CVE‑2017‑17215, demonstrating a hybrid approach that blends new vulnerabilities with legacy attack vectors.

For businesses, the practical impact is stark: a single compromised DVR can become a launchpad for volumetric DDoS attacks that overwhelm web services, disrupt supply‑chain portals, or degrade customer experiences. The episode reinforces the need for continuous asset discovery, regular firmware updates, and enforced password hygiene across all IoT endpoints. Organizations should adopt adversary‑emulation testing that includes edge devices, ensuring that security programs extend beyond traditional IT assets to cover the expanding Internet‑of‑Things perimeter.