Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a new malware strain called Nexcorium that is targeting smart devices across the world and building botnets for large-scale distributed denial-of-service attacks. Described as a new version of the Mirai malware, the threat is designed to infect internet-connected devices and use them to flood websites with fake traffic until they crash or stop working.
Video Recording Devices Seen as Primary Target
Researchers said the campaign is focused in particular on video recording boxes used for security cameras, especially the TBK DVR-4104 and DVR-4216 models. Those devices were identified as key targets because they are said to be rarely updated and often have weak security settings, making them easier to compromise.
The attackers are exploiting CVE-2024-3721, a command injection vulnerability in the devices, allowing them to gain access, run malicious code and maintain persistent remote control. Once a system is successfully compromised, a message appears stating that NexusCorp has taken control, a detail researchers said points to the Nexus Team. They also said the code carries a signature reading “Nexus Team – Exploited By Erratic,” which they cited as reinforcing that attribution.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Malware Built for Persistence and Expansion
Vincent Li of FortiGuard Labs said Nexcorium is a multi-architecture malware, meaning it can run on different processors. Researchers said that flexibility allows it to operate across many types of hardware, increasing the danger for organisations using the affected recording devices.
The malware is designed to be difficult to remove. It copies itself into multiple folders, creates automatic tasks so it restarts when a device is turned off and on again, and deletes its own original files to avoid detection. To expand the botnet, it then attempts to compromise other smart devices in the same building by using a built-in list of common passwords such as admin123, 12345 and guest, while also relying on brute-force attempts to log into routers or cameras.
Researchers said Nexcorium shows traits commonly associated with modern botnets focused on internet-of-things devices, combining vulnerability exploitation, support for multiple architectures and several persistence methods intended to maintain long-term access to infected systems. They added that its use of known exploits, including CVE-2017-17215, alongside extensive brute-force capabilities, underlined its ability to widen its reach.
Researchers Warn Against Narrow Security Testing
The central purpose of the malware operation is to launch DDoS attacks in which large numbers of infected devices overwhelm a website with traffic. Researchers said that because Nexcorium can run on varied hardware, it poses a high-level threat to organisations relying on these recording boxes. They advised users to change default passwords and keep software updated.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, said the campaign demonstrated why automated scanning alone cannot close exposure gaps. He said machine-speed analysis may detect a vulnerability, but deeper human research is needed to understand how attackers chain exploits, weaponise them and sustain access long after the first alert.
Ford said organisations need continuous adversarial testing that mirrors real attacker behaviour across their full asset inventory, including devices security teams may have quietly placed outside normal scope. He added that the next generation of defence programmes will be defined by how aggressively they test the edges of their systems, not only their most prized assets.
