Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

    Monday, April 20, 2026 In: Threat Research Print

    Date: 04/20/2026

    Severity: High

    Summary

    IoT devices are increasingly targeted for large-scale attacks due to widespread use, poor patching, and weak security. Threat actors exploit known vulnerabilities to gain access and deploy persistent malware. These infections can spread across devices and enable DDoS attacks. A recent campaign abused CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant. Analysis of its infection chain and behavior reveals insights into the threat actor and potential impact.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    r3brqw3d.b0ats.top

    IP Address :

    84.200.87.36

    176.65.148.186

    Hash : 

    696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35

    37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21

    e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c

    0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe

    9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf

    95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7

    7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734

    838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696

    2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74

    29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b

    b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678

    721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5

    89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "r3brqw3d.b0ats.top" or url like "r3brqw3d.b0ats.top" or siteurl like "r3brqw3d.b0ats.top"

    Detection Query 2 :

    dstipaddress IN ("84.200.87.36","176.65.148.186") or srcipaddress IN ("84.200.87.36","176.65.148.186")

    Detection Query 3 :

    sha256hash IN ("95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7","696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35","89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400","0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe","2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74","e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c","9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf","838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696","37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21","7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734","29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b","b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678","721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5")

    Reference:    

    https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign


    Tags

    Threat ActorVulnerabilityCVE-2024ExploitMiraiBotnetDDoS Attacks

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.