{"id":45524,"date":"2026-04-18T00:24:29","date_gmt":"2026-04-17T16:24:29","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-mirai-variant-nexcorium-hijacks-dvr-devices-for-ddos-attacks\/"},"modified":"2026-04-18T00:24:29","modified_gmt":"2026-04-17T16:24:29","slug":"new-mirai-variant-nexcorium-hijacks-dvr-devices-for-ddos-attacks","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-mirai-variant-nexcorium-hijacks-dvr-devices-for-ddos-attacks\/","title":{"rendered":"New Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks"},"content":{"rendered":"\n

Cybersecurity researchers at Fortinet\u2019s FortiGuard Labs have found a new malware that is taking over smart devices across the globe. This threat, named Nexcorium, is a new version of the infamous Mirai malware<\/a>. It is built to create a botnet, which is a large network of infected IoT devices and gadgets controlled by hackers to carry out large-scale DDoS attacks.<\/p>\n

How the hackers gain access<\/strong><\/h3>\n

FortiGuard Lab’s security analysts have found that in this campaign, the key targets of hackers are video recording boxes used for security cameras, preferably the TBK DVR-4104 and DVR-4216 models. That’s probably because these devices are rarely updated and have weak security settings, hence being easier to compromise. <\/p>\n

According to researchers, attackers are abusing CVE-2024-3721<\/a>, a command injection vulnerability in these specific devices, allowing hackers to gain access and run malicious code and gain persistent remote access.<\/p>\n

Upon successful compromise, it leads to the showing of a message on the system saying “NexusCorp has taken control.” This gives away the attackers’ identity, which, according to researchers, is the Nexus Team. They even leave a signature in the code that says “Nexus Team \u2013 Exploited By Erratic,” thus validating this attribution.<\/p>\n

Malware Capabilities<\/strong><\/h3>\n

In their blog post<\/a> shared with Hackread.com ahead of publishing on Friday, Vincent Li of FortiGuard Labs noted that Nexcorium is a \u201cmulti-architecture\u201d malware, which means it can work on different processors. <\/p>\n

The malware is also difficult to get rid of because it copies itself into several different folders. It then sets up automatic tasks so that if the device is turned off and on again, the malware just starts back up, and even deletes its own original files to hide from anyone trying to find it.<\/p>\n

To extend the botnet network, the malware tries to compromise other smart devices<\/a> in the same building. For this purpose, it uses a built-in, long list of basic passwords like “admin123, 12345, and guest.” Additionally, by using brute force<\/a>, Nexcorium keeps trying these passwords one by one to see if it can log into other routers or cameras.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
ubuntu<\/td>\nguest<\/td>\nsupport<\/td>\ndefault<\/td>\n<\/tr>\n
12345<\/td>\n123456<\/td>\nchangeme<\/td>\nhikvision<\/td>\n<\/tr>\n
operator<\/td>\n888888<\/td>\nAdministrator<\/td>\nmeinsm<\/td>\n<\/tr>\n
7ujMko0admin<\/td>\nadmin123<\/td>\nadmin1234<\/td>\nadmintest<\/td>\n<\/tr>\n
comcomcom<\/td>\nmotorola<\/td>\npassword<\/td>\ndaemon<\/td>\n<\/tr>\n
OxhlwSG8<\/td>\nS2fGqNFs<\/td>\ntlJwpbo6<\/td>\nD-Link<\/td>\n<\/tr>\n
netscreen<\/td>\n7ujMko0vizxv<\/td>\nGM8182<\/td>\nRoot1<\/td>\n<\/tr>\n
Zte521<\/td>\nantslq<\/td>\ncat1029<\/td>\ndreambox<\/td>\n<\/tr>\n
grouter<\/td>\nhg2x0<\/td>\nhuigu309<\/td>\nipcam_rt5350<\/td>\n<\/tr>\n
jauntech<\/td>\nsolokey<\/td>\nswsbzkgn<\/td>\ntaZz@23495859<\/td>\n<\/tr>\n
tsgoingon<\/td>\nvertex25ektks123<\/td>\nxc3511<\/td>\nxmhdipc<\/td>\n<\/tr>\n
Zhongxing<\/td>\ntelnet<\/td>\ntelnetadmin<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>
List of hardcoded passwords used for Brute Forcing (Credit: Fortinet)<\/figcaption><\/figure>\n

DDoS Attacks<\/strong><\/h3>\n

The main purpose of this entire exercise is to launch Distributed Denial of Services (DDoS<\/a>) attacks in which thousands of infected devices flood a website with so much fake traffic that it crashes and stops working.<\/p>\n