The technical report from The Hacker News on Nexcorium, a fresh Mirai variant exploiting CVE-2024-3721 in TBK DVR-4104 and DVR-4216 devices, accurately captures the immediate infection chain: command injection leading to architecture-aware downloader scripts, XOR-encoded config tables, watchdog functionality, and multi-vector DDoS capabilities over UDP, TCP, and SMTP. However, it stops short of confronting the deeper structural failure this represents. This is not an isolated incident but another data point in an eight-year pattern of Mirai progeny that began with the 2016 Dyn attack and has since splintered into hundreds of variants, each demonstrating greater operational security and adaptability.

Fortinet FortiGuard Labs' analysis reveals Nexcorium's use of CVE-2017-17215 for lateral movement to Huawei HG532 routers, hardcoded credential lists for Telnet brute-forcing, and dual persistence via crontab and systemd services before self-deleting the original binary. These traits indicate a maturing malware lineage designed to evade forensic analysis and maintain long-term residency on devices rarely monitored or patched. Palo Alto Networks Unit 42's concurrent findings on widespread, albeit flawed, scanning for CVE-2023-33538 in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N) further illustrate the problem: attackers are systematically probing the internet's forgotten corners, knowing that millions of these devices remain online years after vendor support ended.

What both the primary coverage and much of the industry commentary miss is the strategic implication. IoT botnets have largely escaped sustained mainstream attention because their DDoS payloads are often used in commoditized criminal markets rather than flashy ransomware or espionage operations. Yet CloudSEK's September 2025 report on a loader-as-a-service platform distributing RondoDox, Mirai, and Morte payloads through weak credentials and legacy flaws demonstrates an emerging ecosystem of specialized criminal infrastructure. These are not amateur efforts; they represent professionalized cybercrime supply chains that can be rented by anyone, including state actors seeking plausible deniability for disruptive operations against critical infrastructure.

The original coverage also understates the physical-world consequences. TBK DVRs are not abstract IoT nodes; they form core components of video surveillance systems protecting businesses, government facilities, and critical sites. Compromising them grants attackers not only DDoS firepower but potential access to live camera feeds or the ability to blind security systems during coordinated physical operations. This dual-use potential aligns with observed patterns in hybrid warfare where botnets serve as both profit engines and reserve capacity for larger campaigns.

Historically, Mirai's source code release created a Darwinian evolution: only the most effective variants survive. Nexcorium's announcement message ('nexuscorp has taken control') and its ability to function as a limited web server for further propagation show increasing autonomy. The relentless pace of new CVEs in abandoned devices, combined with manufacturers' rapid shift to new product lines without providing firmware updates, has created a permanent vulnerable substrate. Regulatory efforts like the EU Cyber Resilience Act remain years from meaningful impact, while CISA's addition of related vulnerabilities to the KEV catalog has done little to slow exploitation of devices outside enterprise visibility.

The synthesis is clear: IoT remains the soft underbelly of global digital infrastructure. Without radical changes in liability for manufacturers, automated update mechanisms for legacy devices, and continuous internet-scale scanning by defensive organizations, botnets like Nexcorium will continue to scale in the shadows, waiting for the next major geopolitical or financial trigger to weaponize their collective bandwidth.