Threat actors are actively taking advantage of security weaknesses in TBK digital video recorders and outdated TP-Link Wi-Fi routers to install variants of the Mirai botnet on compromised systems. This activity has been documented by researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
One of the primary attack vectors involves the exploitation of CVE-2024-3721, a command injection vulnerability with a CVSS score of 6.3, classified as medium severity. This flaw affects TBK DVR-4104 and DVR-4216 devices and is being used to deliver a Mirai-based malware strain identified as Nexcorium.
Security researchers note that IoT devices continue to be heavily targeted because they are widely deployed, frequently lack timely security updates, and are often configured with weak protections. These conditions allow attackers to exploit known vulnerabilities to gain initial access, deploy malicious code, maintain persistence, and ultimately use infected devices to conduct distributed denial-of-service attacks.
This vulnerability has already been observed in previous attack campaigns. Over the past year, it has been used not only to deploy Mirai variants but also a newer botnet known as RondoDox. In addition, earlier reporting highlighted large-scale botnet operations distributing multiple malware families, including Mirai, RondoDox, and Morte, by exploiting weak credentials and outdated vulnerabilities across routers, IoT devices, and enterprise systems.
In the current attack chain described by Fortinet, exploitation of CVE-2024-3721 allows attackers to download a script onto the target device. This script then determines the system’s Linux architecture and retrieves a compatible botnet payload. Once executed, the malware displays a message indicating that the system has been taken over.
Technical analysis shows that Nexcorium follows a structure similar to traditional Mirai variants. It includes encoded configuration tables, a watchdog mechanism to keep the malware active, and dedicated modules for launching DDoS attacks.
The malware also integrates an exploit for CVE-2017-17215, enabling it to target Huawei HG532 devices within the same network. Additionally, it uses a hard-coded list of usernames and passwords to attempt brute-force logins on other systems via Telnet connections.
If these login attempts succeed, the malware gains shell access, establishes persistence using scheduled tasks and system services, and connects to an external command-and-control server. From there, it waits for instructions to launch attacks using protocols such as UDP, TCP, and SMTP. After securing persistence, it deletes the original binary file to reduce the likelihood of detection and analysis.
Researchers describe Nexcorium as representative of modern IoT botnets, combining multiple techniques such as vulnerability exploitation, multi-architecture support, and persistence mechanisms to maintain long-term control over infected devices. Its use of both older vulnerabilities and brute-force tactics highlights its ability to adapt and expand its reach.
Separately, Unit 42 identified automated scanning activity attempting to exploit another vulnerability, CVE-2023-33538, which has a higher CVSS score of 8.8. This flaw affects several end-of-life TP-Link routers, including TL-WR940N (v2 and v4), TL-WR740N (v1 and v2), and TL-WR841N (v8 and v10). While the observed attack attempts were incorrectly executed and did not succeed, the vulnerability itself remains valid.
This vulnerability was added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency in June 2025, reflecting its relevance in real-world threat activity. Researchers emphasize that successful exploitation requires authenticated access to the router’s web interface, which can often be achieved if default credentials are still in use.
The attacks linked to this vulnerability are designed to deploy Mirai-like malware containing references to “Condi” within its source code. This malware is capable of updating itself to newer versions and can also operate as a web server, allowing it to spread to additional devices that connect to the infected system.
Because the affected TP-Link routers are no longer supported by the manufacturer, users are advised to replace them with newer devices. Security experts also stress the importance of changing default login credentials, as these remain a major weakness that attackers continue to exploit.
Researchers warn that the continued use of default credentials in IoT environments will remain a persistent security risk. Even vulnerabilities that require authentication can become critical entry points if weak or unchanged credentials are present, enabling attackers to compromise devices and expand botnet networks with relative ease.
Cybersecurity researchers have identified a previously undocumented malware strain called KadNap that is primarily infecting Asus routers and other internet-facing networking devices. The attackers are using these compromised systems to form a botnet that routes malicious traffic through residential connections, effectively turning infected hardware into anonymous proxy nodes.
The threat was first observed in real-world attacks in August 2025. Since that time, the number of affected devices has grown to more than 14,000, according to investigators at Black Lotus Labs. A large share of infections, exceeding 60 percent, has been detected within the United States. Smaller groups of compromised devices have also been identified across Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.
Researchers report that the malware uses a modified version of the Kademlia Distributed Hash Table (DHT) protocol. This peer-to-peer networking technology enables the attackers to conceal the true location of their infrastructure by distributing communication across multiple nodes. By embedding command traffic inside decentralized peer-to-peer activity, the operators can evade traditional network monitoring systems that rely on detecting centralized servers.
Within this architecture, infected devices communicate with one another using the DHT network to discover and establish connections with command-and-control servers. This design improves the botnet’s resilience, as it reduces the chances that defenders can disable operations by shutting down a single control point.
Once a router or other edge device has been compromised, the system can be sold or rented through a proxy platform known as Doppelgänger. Investigators believe this service is a rebranded version of another proxy operation called Faceless, which previously had links to TheMoon router malware. According to information published on the Doppelgänger website, the service launched around May or June 2025 and advertises access to residential proxy connections in more than 50 countries, promoting what it claims is complete anonymity for users.
Although many of the observed infections involve Asus routers, researchers found that the malware operators are also capable of targeting a wider range of edge networking equipment.
The attack chain begins with the download of a shell script named aic.sh, retrieved from a command server located at 212.104.141[.]140. This script initiates the infection process by connecting the compromised device to the botnet’s peer-to-peer network.
To ensure the malware remains active, the script establishes persistence by creating a cron task that downloads the same script again at the 55-minute mark of every hour. During this process, the file is renamed “.asusrouter” and executed automatically.
After persistence is secured, the script downloads an ELF executable, renames it “kad,” and runs it on the device. This program installs the KadNap malware itself. The malware is capable of operating on hardware that uses ARM and MIPS processor architectures, which are commonly found in routers and networking appliances.
KadNap also contacts a Network Time Protocol (NTP) server to retrieve the current system time and store it along with the device’s uptime. These values are combined to produce a hash that allows the malware to identify and connect with other peers within the decentralized network, enabling it to receive commands or download additional components.
Two additional files used during the infection process, fwr.sh and /tmp/.sose, contain instructions that close port 22, which is the default port used by Secure Shell (SSH). These files also extract lists of command server addresses in IP-address-and-port format, which the malware uses to establish communication with control infrastructure.
According to researchers, the use of the DHT protocol provides the botnet with durable communication channels that are difficult to shut down because its traffic blends with legitimate peer-to-peer network activity.
Further examination revealed that not every infected device communicates with every command server. This suggests the attackers are segmenting their infrastructure, possibly grouping devices based on hardware type or model.
Investigators also noted that routers infected with KadNap may sometimes contain multiple malware infections simultaneously. Because of this overlap, it can be challenging to determine which threat actor is responsible for particular malicious activity originating from those systems.
Security experts recommend that individuals and organizations operating small-office or home-office (SOHO) routers take several precautions. These include installing firmware updates, restarting devices periodically, replacing default administrator credentials, restricting management access, and replacing routers that have reached end-of-life status and no longer receive security patches.
Researchers concluded that KadNap’s reliance on a peer-to-peer command structure distinguishes it from many other proxy-based botnets designed to provide anonymity services. The decentralized approach allows operators to remain hidden while making it significantly harder for defenders to detect and block the network.
In a separate report, security analysts at Cyble disclosed a new Linux malware threat named ClipXDaemon.
The malware targets cryptocurrency users by intercepting wallet addresses that victims copy to their clipboard and secretly replacing them with addresses controlled by attackers. This type of threat is commonly known as clipper malware.
ClipXDaemon is distributed through a Linux post-exploitation framework called ShadowHS and has been described as an automated clipboard-hijacking tool designed specifically for systems running Linux X11 graphical environments.
The malware operates entirely in memory, which reduces traces on disk and improves its ability to remain undetected. It also employs several stealth techniques, including disguising its process names and deliberately avoiding execution in Wayland sessions.
This design choice is intentional because Wayland’s security architecture introduces stricter restrictions on clipboard access. Applications must usually involve explicit user interaction before they can read clipboard contents. By disabling itself when Wayland is detected, the malware avoids triggering errors or suspicious behavior.
Once active in an X11 session, ClipXDaemon continuously checks the system clipboard every 200 milliseconds. If it detects a copied cryptocurrency wallet address, it immediately substitutes it with an attacker-controlled address before the victim pastes the information.
The malware currently targets a wide range of digital currencies, including Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON.
Researchers noted that ClipXDaemon differs significantly from traditional Linux malware families. It does not include command-and-control communication, does not send beaconing signals to remote servers, and does not rely on external instructions to operate.
Instead, the malware generates profits directly by manipulating cryptocurrency transactions in real time, silently redirecting funds when victims paste compromised wallet addresses during transfers.
In January 2026, a construction company in the United Kingdom found an unwelcome presence inside one of its Windows servers. Cybersecurity analysts from eSentire’s Threat Response Unit (TRU) determined that the intruder was a long-running malware network known as Prometei, a botnet with links to Russian threat activity and active since at least 2016.
Although Prometei has been widely observed conducting covert cryptocurrency mining, the investigation showed that this malware can do much more than simply generate digital currency. In this case, it was also capable of capturing passwords and potentially enabling remote control of the affected system.
According to the analysis shared with cybersecurity media, this attack did not involve complex hacking techniques. The initial intrusion appears to have occurred because the attackers were able to successfully log into the server using Remote Desktop Protocol (RDP) with weak or default login credentials. Remote Desktop, a tool used to access computers over a network, can be exploited easily if account passwords are simple.
Prometei is not a single program that drops onto a system. Instead, it operates as a collection of tools designed to carry out multiple functions once it gains access. When the malware first infects a machine, it adds a new service with a name such as “UPlugPlay,” and it creates a file called sqhost.exe to ensure that it relaunches automatically every time the server restarts.
Once these persistence mechanisms are in place, the malware downloads its main functional component, often called zsvc.exe, from a command server linked to an entity identified in analysis as Primesoftex Ltd. This payload is transmitted in encrypted form and disguised to avoid detection.
After establishing itself, Prometei collects basic technical information about the infected system by using legitimate Windows utilities. It then employs credential-harvesting techniques that resemble the behaviour of publicly known tools, capturing passwords stored on the server and within the network. In the course of this activity, Prometei commonly leverages the TOR anonymity network to conceal its command and control communications, making it harder for defenders to trace its actions.
Prometei also has built-in countermeasures to evade analysis and detection. For example, the malware checks for the presence of a specific file called mshlpda32.dll. If this file is absent, instead of crashing or revealing obvious malicious behaviour, the malware executes benign-looking operations that mimic routine system tasks. This is a deliberate method to confuse security researchers and automated analysis tools that attempt to study the malware in safe environments.
In a further twist, once Prometei has established a foothold, it also deploys a utility referred to as netdefender.exe. This component monitors failed login attempts and blocks them, effectively locking out other potential attackers. While this might seem beneficial, its purpose is to ensure that the malicious operator retains exclusive control of the compromised server.
To protect systems from similar threats, cybersecurity experts urge organisations to replace default passwords with complex, unique credentials. They recommend implementing multi-factor authentication for remote access services, keeping software up to date with security patches, and monitoring login activity for unusual access attempts. eSentire has also released specialised analysis tools that allow defenders to unpack Prometei’s components and study its behaviour in controlled settings.
Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.
Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.
Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.
Botnets are created through a structured process that typically involves five key steps:
These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.
Recognizing a compromised device is crucial. Look out for the following warning signs:
If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.
Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:
Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.
Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.
A botnet attack involves a network of compromised computers, or "bots," which are controlled by a single entity, often referred to as a "botmaster." These botnets can be used to launch large-scale cyberattacks such as Distributed Denial-of-Service (DDoS) attacks, which overwhelm a target’s resources, rendering it inaccessible.
In 2016, hackers used the Mirai botnet to take control of millions of devices and launched a huge DDoS attack on Dyn, a major domain name server provider.
Some hackers also take over IoT devices to "brick" them, which means they damage the device’s firmware so it becomes useless. They do this for fun or to teach people about cybersecurity.
As language models become integral in various applications, they present new cyberattack vectors. LLMjacking, or Large Language Model hijacking, involves manipulating language models to generate harmful or misleading information.
Attackers can exploit vulnerabilities in these models to spread misinformation, influence public opinion, or even automate phishing attacks. The rise of AI-powered tools necessitates the implementation of stringent security measures to safeguard against such manipulations.
Companies that utilize cloud-hosted Large Language Models (LLMs) are at risk of LLM jacking because they possess the necessary server resources to operate generative AI programs. Hackers might exploit these resources for personal purposes, such as creating their own images, or for more malicious activities like generating harmful code, contaminating the models, or stealing sensitive information.
While an individual hijacking a cloud-based LLM for personal use might not cause significant damage, the costs associated with resource usage can be substantial. A severe attack could result in charges ranging from $50,000 to $100,000 per day for the owner.
Unlike traditional malware that aims to steal information, ransomware directly extorts victims. Attackers encrypt valuable data and demand payment, often in cryptocurrency, for the decryption key. Organizations of all sizes are potential targets, and the financial and reputational damage can be severe. Preventative measures, including regular data backups and cybersecurity training, are crucial in mitigating the risks of ransomware attacks.
An insider threat comes from within the organization, typically from employees, contractors, or business partners who have inside information concerning the organization’s security practices. These threats can be malicious or unintentional but are dangerous due to the privileged access insiders have.
They may misuse their access to steal sensitive information, disrupt operations, or introduce vulnerabilities. Organizations need to implement strict access controls, regular monitoring, and education to reduce the risk of insider threats.
Man-in-the-middle attacks occur when an attacker intercepts communication between two parties without their knowledge. The attacker can then eavesdrop, manipulate, or steal sensitive information being exchanged.
MitM attacks are particularly concerning for financial transactions and other confidential communications. Encrypted communication channels, strong authentication methods, and educating users about potential risks are effective strategies to prevent such attacks.
Phishing remains one of the most prevalent cyber threats, evolving in sophistication and technique. Attackers use deceptive emails, messages, or websites to trick individuals into divulging personal information such as usernames, passwords, and credit card details.
Spear phishing, a targeted form of phishing, involves personalized attacks on specific individuals or organizations, making them harder to detect. Continuous cybersecurity awareness training and employing advanced email filtering solutions can help protect against phishing schemes.