Threat Research

IoT devices are increasingly targeted for large-scale attacks due to widespread use, poor patching, and weak security. Threat actors exploit known vulnerabilities to gain access and deploy persistent malware. These infections can spread across devices and enable DDoS attacks. A recent campaign abused CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant....

We detected active automated scans attempting to exploit CVE-2023-33538 in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N variants). The payloads involved Mirai-like malware designed to download and execute on vulnerable devices. This activity followed CISA adding the CVE to its Known Exploited Vulnerabilities catalog in June 2025....

An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer....

The Resurgence of IoT Malware: Inside the Mirai-Based 'Gayfemboy' Botnet Campaign explores a stealthy and evolving malware strain named "Gayfemboy," initially discovered by a Chinese cybersecurity firm. Over the past year, the malware resurfaced with renewed activity in July, targeting vulnerabilities in IoT devices from vendors like DrayTek, TP-Link, Raisecom, and Cisco....

Over the past month, there has been a noticeable surge in scanning activity linked to a new botnet campaign exploiting two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both vulnerabilities have been publicly disclosed and are currently being actively targeted, presenting serious threats to device security and overall network stability....