Mirai Botnet Variants Nexcorium and Condi Exploit Vulnerabilities in TBK DVRs and TP-Link Routers to Launch Global DDoS Campaigns
Cybersecurity researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have identified a sophisticated series of cyberattacks targeting legacy Internet of Things (IoT) devices, specifically digital video recorders (DVRs) manufactured by TBK and end-of-life (EoL) Wi-Fi routers from TP-Link. These campaigns leverage critical security vulnerabilities to deploy new variants of the notorious Mirai botnet, identified as Nexcorium and Condi. The surge in these attacks highlights a persistent and growing threat to global network stability, as threat actors increasingly weaponize unpatched and unsupported hardware to build massive botnet infrastructures capable of launching devastating distributed denial-of-service (DDoS) attacks.
The exploitation of TBK DVR devices centers on a medium-severity command injection vulnerability tracked as CVE-2024-3721, which carries a CVSS score of 6.3. This flaw affects the TBK DVR-4104 and DVR-4216 models, allowing remote attackers to execute arbitrary commands on the device’s operating system. Once initial access is gained, the attackers deploy a Mirai-based malware known as Nexcorium. This malware is designed to take complete control of the infected hardware, effectively turning a security-focused device into a zombie node within a larger malicious network.
According to Vincent Li, a security researcher at Fortinet, the targeting of IoT devices is a strategic choice for modern cybercriminals. He noted that these devices are increasingly prime targets for large-scale attacks due to their widespread use, the frequent lack of security patching, and often weak default security settings. Li emphasized that threat actors are continuously scanning the internet for known vulnerabilities to gain initial access, deploying malware that can persist, spread laterally through local networks, and participate in coordinated DDoS campaigns.
The Technical Evolution of Nexcorium
The Nexcorium variant represents a significant evolution in IoT-focused malware. Its infection chain begins with the exploitation of CVE-2024-3721 to deliver a downloader script tailored to the victim’s specific Linux architecture. Once the binary is executed, the malware issues a triumphant notification to its command-and-control (C2) server, stating "nexuscorp has taken control." This bravado underscores the confidence of the threat actors behind the campaign.
Technically, Nexcorium shares a foundational architecture with the original Mirai source code but incorporates several modern enhancements. These include an XOR-encoded configuration table to obfuscate its internal settings and a watchdog module designed to monitor the malware’s processes and restart them if they are terminated by a user or security software. Furthermore, Nexcorium features a specialized DDoS attack module capable of flooding targets with traffic over multiple protocols, including UDP, TCP, and SMTP.
One of the more alarming features of Nexcorium is its ability to spread laterally. The malware includes a built-in exploit for CVE-2017-17215, a legacy vulnerability in Huawei HG532 devices. By scanning the local network for these routers, Nexcorium can expand its reach beyond the initial point of entry. Additionally, it carries an extensive list of hard-coded usernames and passwords. It uses these credentials to conduct brute-force attacks against other hosts via Telnet. If a login is successful, the malware attempts to secure a shell, establishes persistence through crontab and systemd services, and eventually deletes its own binary to evade post-infection forensic analysis.
Automated Exploitation of TP-Link Routers
Simultaneously, Palo Alto Networks Unit 42 has been tracking automated scans and probes targeting TP-Link wireless routers that have reached their end-of-life status. These attacks exploit CVE-2023-33538, a critical command injection vulnerability with a CVSS score of 8.8. Although the vulnerability is severe, Unit 42 researchers Asher Davila, Malav Vyas, and Chris Navarrete observed that many current in-the-wild attacks are using a flawed methodology that fails to achieve a successful compromise. However, they warned that the underlying vulnerability remains a potent threat for any device that has not been replaced or shielded.
Successful exploitation of CVE-2023-33538 requires the attacker to be authenticated to the router’s web interface. While this might seem like a high bar, many users never change the default administrative credentials on their home routers, making them easy prey for automated botnet scripts. The malware associated with these TP-Link attacks is a Mirai-like variant dubbed Condi.
Condi distinguishes itself with its ability to act as a self-propagating web server. Once it infects a router, it can serve its own malicious payload to other vulnerable devices that connect to it, creating a cascading infection effect. It also includes a self-update mechanism, allowing the botnet operators to push new features or bug fixes to their army of infected devices in real-time. This level of automation and resilience makes Condi a formidable component of the modern cyber-threat landscape.
A Timeline of Escalating IoT Vulnerabilities
The current wave of attacks is part of a broader trend observed throughout 2024 and 2025. The TBK DVR vulnerability, in particular, has become a "favorite" among threat actors. Over the past year, it has been leveraged to deploy multiple botnet families, including the relatively new RondoDox malware. In June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) catalog, signaling that the flaw is actively being weaponized by sophisticated actors.
In September 2025, the security firm CloudSEK disclosed the existence of a massive "loader-as-a-service" infrastructure. This underground economy allows low-level cybercriminals to pay for access to pre-compromised IoT devices. This infrastructure has been instrumental in distributing payloads for Nexcorium, RondoDox, and another variant known as Morte. The commoditization of IoT exploitation means that even unsophisticated actors can now launch high-impact DDoS attacks by simply renting time on an established botnet.
The scale of these operations is staggering. Earlier in 2025, a Mirai-based botnet was credited with launching a record-breaking 56 Tbps DDoS attack, demonstrating the sheer volume of traffic that can be generated when hundreds of thousands of compromised IoT devices are synchronized.
Broader Implications and Official Responses
The persistence of these attacks raises serious questions about the security lifecycle of consumer electronics. Many of the devices being targeted, such as the TP-Link routers, are no longer supported by their manufacturers. This means that even if a critical vulnerability is discovered, no official patch will be released. This creates a "zombie internet" of millions of devices that are permanently vulnerable and serve as a resource for threat actors.
Security agencies and researchers are urging a shift in how both consumers and enterprises manage IoT security. Unit 42 has emphasized that the security landscape will continue to be shaped by the risk of default credentials. They argue that a single authenticated vulnerability can turn into a critical entry point if the administrative password remains "admin" or "1234."
In response to these findings, cybersecurity experts recommend the following actions:
- Immediate Replacement: Any device that has reached EoL status and is known to be vulnerable (like the affected TP-Link and TBK models) should be replaced with modern, supported hardware.
- Credential Management: Users must change default usernames and passwords on all network-connected devices immediately upon installation.
- Network Segmentation: IoT devices should be placed on a separate VLAN to prevent malware like Nexcorium from moving laterally to more sensitive systems, such as personal computers or servers.
- Disable Unnecessary Services: Features like remote management and Telnet should be disabled unless absolutely necessary for the device’s operation.
Analysis: The Future of Botnet Warfare
The emergence of Nexcorium and Condi suggests that the era of the Mirai botnet is far from over. Instead, it has entered a phase of modular refinement. By combining old exploits with new persistence methods and automated spreading capabilities, threat actors are ensuring that their botnets remain viable even as individual devices are rebooted or taken offline.
The use of "loader-as-a-service" models indicates a high degree of organization and financial motivation. As long as there is a market for DDoS attacks—whether for extortion, political hacktivism, or competitive sabotage—the demand for IoT botnets will persist. The exploitation of TBK DVRs is particularly ironic, as devices intended to provide physical security are being repurposed to undermine digital security.
Furthermore, the inclusion of lateral movement exploits for legacy Huawei hardware shows that attackers are thinking holistically about the network environment. They are not just looking for a single "in"; they are looking for ways to entrench themselves within a local ecosystem. This holistic approach requires a similarly holistic defense strategy from the cybersecurity community, focusing on visibility, rapid response, and the phased decommissioning of insecure legacy hardware.
As we move further into 2025, the battle over the IoT landscape will likely intensify. The record-breaking DDoS attacks seen recently are a harbinger of a future where the sheer volume of connected devices, if left unsecured, could be used to disrupt the fundamental infrastructure of the internet. The findings from Fortinet and Palo Alto Networks serve as a critical reminder that in the world of cybersecurity, "out of sight" should never mean "out of mind" when it comes to the routers and DVRs humming quietly in the corners of our homes and businesses.
