How Hackers Turn DVR Command Injection Flaw into a Botnet Weapon

A new wave of cyberattacks is exploiting a DVR command injection flaw to build a powerful botnet. Security researchers at Fortinet‘s FortiGuard Labs have uncovered a campaign targeting TBK digital video recorders (DVRs). The goal? To install a Mirai-based malware strain called Nexcorium. This malware turns infected devices into soldiers for distributed denial-of-service (DDoS) attacks.

Understanding the DVR Command Injection Flaw (CVE-2024-3721)

The vulnerability at the heart of this campaign is CVE-2024-3721. It affects TBK DVR systems, which are widely used in surveillance setups. Attackers send specially crafted requests to the device, abusing a vulnerable parameter. This allows them to execute arbitrary commands on the system. In short, the DVR command injection flaw gives hackers a direct path into the device.

Once inside, the attackers deploy a downloader script. This script fetches malware binaries tailored for different Linux architectures, including ARM, MIPS, and x86-64. The malware then runs with elevated permissions, taking full control of the DVR.

Inside the Nexcorium Botnet: Multi-Stage Infection and Persistence

Nexcorium is a sophisticated variant of the infamous Mirai botnet. After the initial breach, the malware hides its configuration using XOR encoding. This configuration includes command-and-control (C2) server details, attack instructions, and even a built-in credential list for brute-force attacks.

The botnet spreads through multiple methods. It exploits the DVR command injection flaw for initial access. Then, it uses default credentials to move laterally across networks. It also targets additional vulnerabilities, such as CVE-2017-17215, which affects Huawei routers. This multi-pronged approach helps the botnet grow quickly.

Persistence is a key feature of Nexcorium. The malware modifies system initialization files, creates startup scripts, and registers system services. It also schedules recurring tasks via cron jobs. This ensures the malware survives reboots and maintains long-term access.

DDoS Capabilities of the Botnet

Once established, Nexcorium connects to a remote C2 server. The server issues commands for various DDoS attack methods. These include UDP floods, TCP SYN floods, and application-layer attacks like SMTP flooding. The botnet can also terminate attacks or self-destruct on command, showing centralized control.

As Trey Ford, chief strategy and trust officer at Bugcrowd, noted: “The Nexcorium campaign is a precise illustration of why automated scanning alone cannot close the exposure gap. Machine speed analysis tells you a vulnerability exists, but human researcher depth tells you how an adversary will chain it, weaponize it and sustain access long after the initial alert fires.”

How to Protect IoT Devices from Botnet Threats

IoT devices, especially DVRs, are prime targets for botnets like Nexcorium. John Gallagher, vice president of Viakoo Labs, explained: “Enterprises have had their fleets of IoT and OT devices used by Mirai and its variants for some time, particularly for DDoS attacks. Until more action is taken by enterprises to maintain cyber hygiene on IoT devices, this will continue because of the ease of infection and ability to move laterally.”

Security teams should focus on foundational controls. Traditional agent-based tools often fail because IoT devices cannot host agents. Instead, use agentless discovery and remediation solutions. Automated password and certificate management are also critical. Additionally, keep firmware updated to patch known vulnerabilities like CVE-2024-3721.

For more on IoT security, read our guide on IoT security best practices. You can also check our analysis of Mirai botnet evolution.

In conclusion, the exploitation of the DVR command injection flaw highlights a growing trend: attackers targeting overlooked IoT devices. By understanding the attack chain and implementing strong cyber hygiene, organizations can reduce their risk of becoming part of the next botnet.

TechCrunch Disrupt 2026: Get 50% Off a Second Pass and Close More Deals Faster

Time is running out for founders, investors, and operators who want to supercharge their deal-making. For the next four days, you can buy one pass to TechCrunch Disrupt 2026 and get 50% off a second pass of the same ticket type. This offer expires on May 8 at 11:59 p.m. PT. After that, prices rise, and bringing a partner or colleague will cost you significantly more. Register here to secure your plus-one at half price.

In the fast-paced world of startups, access is everything. Many believe that a polished pitch is the key to success, but the reality is that proximity to capital and decision-makers often determines who scales and who stalls. TechCrunch Disrupt 2026 is designed to eliminate the barriers of cold outreach and missed introductions, giving you direct access to the people who can write checks and open doors.

Why Deal Flow Matters More Than Ever

Fundraising is a long game of chasing proximity. Cold emails, ignored LinkedIn messages, and weeks of waiting for replies can drain your momentum. Without access, you watch deals happen without you. That’s where TechCrunch Disrupt 2026 deals come into play. This event compresses the fundraising timeline by putting you in the same room as top-tier investors, all in one place.

Building on this, the event offers several dedicated spaces for meaningful interactions:

• Startup Battlefield 200: Pitch in front of leading VCs and compete for a $100,000 equity-free prize.
• Deal Flow Café: A designated area for real, unfiltered conversations between founders and investors.
• Curated matchmaking: Targeted 1:1 and small-group meetings with investors who align with your sector.
• Expo Hall proximity: Turn cold outreach into live demos and authentic discussions.

As a result, you shift from chasing attention to securing influence. Your ticket grants you access to candid insights from active founders, top-tier investors, and operators scaling real companies. Speakers include Nina Achadjian of Index Ventures, Josh Reeves of Gusto, and Arsalan Tavakoli-Shiraji of Databricks, among many others.

How Disrupt 2026 Accelerates Fundraising

When TechCrunch Disrupt 2026 takes over Moscone West in San Francisco from October 13–15, more than 10,000 founders, investors, and operators will gather with a single goal: to advance deals. This changes the pace of business immediately. Instead of months of back-and-forth, conversations start and move faster across industry stages, keynotes, roundtables, and investor receptions.

Furthermore, you are not burning resources trying to get into a meeting—you are already in one. Disrupt is a premier global startup event where the ecosystem converges to move ideas, deals, and companies forward. With over 20,000 curated meetings and dedicated environments like investor-founder networking sessions, the event is built for deal flow, not just discussion.

The Power of Proximity

At Disrupt, you are face-to-face with investors who can ask questions on the spot, evaluate your vision directly, and read signals immediately. This feedback loop compresses timelines. What normally takes weeks can take shape in a single day—especially as you move between sessions and conversations across the venue. Check the agenda to plan your time effectively.

In addition, you will find 80+ Side Events across the Bay Area for networking, workshops, and social connections, extending the value of your Disrupt ticket. Bringing a second person with your 50% discount multiplies those moments, allowing you to cover more ground and convert more conversations into real opportunities.

Don’t Miss Your 50% Discount

Buy one pass, get 50% off the second (of the same ticket type). Bring someone who helps you move faster—and put yourself in the room where deals actually start. Register now to secure your two passes before May 8 at 11:59 p.m. PT. After that, the price goes up, and the opportunity to bring a colleague takes a bigger chunk of your budget.

Therefore, if fundraising is already on your roadmap, waiting doesn’t make it easier. It just delays access. Secure your passes today for TechCrunch Disrupt 2026 and close more deals faster.

Formbook Malware Campaign Exploits Multiple Obfuscation Techniques to Evade Detection

Cybercriminals have launched two distinct phishing campaigns, each employing a stealthy infection method, to target organizations running Microsoft Windows. The primary objective? To deploy Formbook, a notorious infostealer malware that has been a staple of malware-as-a-service operations since 2016.

Formbook is designed to harvest sensitive information—login credentials, browser data, and screenshots—while using advanced evasion techniques to slip past security tools. A decade after its debut, this threat remains active across industries, with no signs of slowing down.

How the Formbook Malware Campaign Works

Security researchers at WatchGuard have detailed two new Formbook campaigns in a blog post published on April 20. These attacks target companies in Greece, Spain, Slovenia, Bosnia, Croatia, and several South American countries. The phishing lures are disguised as routine business emails, making them hard to spot.

What sets these campaigns apart is the diversity of evasion methods. One relies on DLL sideloading, while the other uses obfuscated JavaScript. Both aim to deliver the same malicious payload: Formbook.

DLL Sideloading: A Classic Evasion Tactic

The first campaign starts with a phishing email containing an RAR file. Inside, there are four files: three dynamic-link libraries (DLLs) and one Windows executable (EXE). Attackers use DLL sideloading, a technique that tricks a legitimate program into loading a malicious DLL instead of a safe one. This allows the malware to run without triggering alarms.

This method is particularly effective because it abuses trusted system processes. Security teams often struggle to flag such behavior as suspicious, giving attackers a clear path to deploy Formbook.

Obfuscated JavaScript: A Modern Twist

The second campaign takes a different route. It also begins with a phishing email, but this time, the malicious payload hides inside JavaScript and PDF files. The code is heavily obfuscated to evade detection.

When executed, the JavaScript drops two image files. These images contain PowerShell commands, obfuscated within long strings of code. Ultimately, these commands run a Windows executable that deploys a custom malware loader. This loader has previously distributed other threats like Remcos, XWorm, AsyncRAT, and SmokeLoader. In this case, it delivers Formbook.

Why This Formbook Malware Campaign Matters

Formbook is not new, but its persistence and adaptability make it a serious concern. By using multiple obfuscation techniques, attackers can bypass traditional security measures. As a result, organizations must stay vigilant.

WatchGuard advises security teams to monitor for suspicious archive-based email attachments, anomalous DLL loading behavior, and PowerShell execution tied to user-opened attachments. They also recommend watching for signs of manual DLL mapping or direct syscall activity in memory.

Defending Against These Evasion Tactics

To counter these threats, companies should focus on behavior-based detection. Correlating activities across the attack chain—like email attachments, DLL loading, and PowerShell commands—can help identify Formbook infections before data is compromised.

Additionally, implementing robust email filtering and endpoint protection solutions can reduce the risk. Employee training on phishing awareness is also crucial, as these attacks often rely on human error.

Conclusion: Staying Ahead of Formbook

This Formbook malware campaign highlights the evolving nature of cyber threats. Attackers are constantly refining their methods, using DLL sideloading and obfuscated JavaScript to stay one step ahead. However, with the right security strategies, organizations can detect and stop these attacks.

By understanding how these evasion techniques work, security teams can better protect their networks. The key is to remain proactive, monitor for unusual behavior, and educate users about the risks of phishing.