News
Mirai Botnet Evolves Again, Targeting Unpatched TBK DVRs With New Exploit
<p data-start="327" data-end="602">A fresh variant of the Mirai malware is on the loose, and it&#8217;s already hijacking thousands of digital video recorders through an exploit that&#8217;s been publicly known for weeks. The devices are falling fast, and the consequences could ripple far beyond what’s visible right now.</p>
<p data-start="604" data-end="893">Security experts are sounding the alarm after seeing a surge in infections linked to CVE-2024-3721—a command injection flaw affecting TBK DVR-4104 and DVR-4216 models. And here&#8217;s the kicker: many of these units are rebranded and spread globally under names people might not even recognize.</p>
<h2 data-start="895" data-end="937">Exploit Went Public, Hackers Moved Fast</h2>
<p data-start="939" data-end="1269">This all started back in April 2024, when a researcher going by the handle &#8220;netsecfish&#8221; publicly disclosed the CVE-2024-3721 vulnerability. The flaw lets attackers send specially crafted POST requests to certain endpoints, tricking the devices into running shell commands by fiddling with two specific parameters: <code data-start="1253" data-end="1258">mdb</code> and <code data-start="1263" data-end="1268">mdc</code>.</p>
<p data-start="1271" data-end="1415">At the time, the proof-of-concept code seemed technical and low-risk for most people. But within weeks, malware authors turned it into a weapon.</p>
<p data-start="1417" data-end="1625">Now, Kaspersky reports their honeypots are capturing live exploitation attempts. The attackers are pushing a Mirai botnet variant onto vulnerable devices—mostly Linux-based DVRs running on ARM32 architecture.</p>
<p data-start="1417" data-end="1625"><a href="https://www.theibulletin.com/wp-content/uploads/2025/06/tbk-vision-dvr-malware-botnet-infection-2024.jpg"><img class="aligncenter size-full wp-image-57633" src="https://www.theibulletin.com/wp-content/uploads/2025/06/tbk-vision-dvr-malware-botnet-infection-2024.jpg" alt="tbk vision dvr malware botnet infection 2024" width="1462" height="824" /></a></p>
<h2 data-start="1627" data-end="1671">What Happens Once the Device Is Infected?</h2>
<p data-start="1673" data-end="1822">Once the malware lands on the DVR, it quickly connects to its command-and-control (C2) server. From there, the infected device doesn’t just sit idle.</p>
<p data-start="1824" data-end="2113">It becomes part of a broader botnet army, ready to launch Distributed Denial-of-Service (DDoS) attacks, act as a relay for malicious traffic, or even participate in other cybercrimes. These devices, usually sitting unnoticed in server rooms or closets, become digital mercenaries for hire.</p>
<p data-start="2115" data-end="2186">And let’s be honest—no one checks their DVR firmware updates regularly.</p>
<h2 data-start="2188" data-end="2225">Exposure Numbers Aren’t Reassuring</h2>
<p data-start="2227" data-end="2387">According to netsecfish&#8217;s initial estimate, around 114,000 of these DVRs were exposed online back in 2023. That number might have dipped since, but not by much.</p>
<p data-start="2389" data-end="2607">Kaspersky’s latest scans suggest 50,000 devices are still wide open. That’s not a small number, especially when each of those machines can play a role in crippling online infrastructure through coordinated attacks.</p>
<p data-start="2609" data-end="2893">• Infections seem concentrated in countries like China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.<br data-start="2715" data-end="2718" />• But this is based solely on Kaspersky’s telemetry—so, not a full picture.<br data-start="2793" data-end="2796" />• Plus, since Kaspersky software is restricted in many regions, the real spread could be broader.</p>
<h2 data-start="2984" data-end="3025">The Update Dilemma and Brand Confusion</h2>
<p data-start="3027" data-end="3185">Here&#8217;s where things get murky. The affected DVR-4104 and DVR-4216 devices aren&#8217;t just sold under the TBK Vision label. They&#8217;ve been rebranded dozens of times.</p>
<p data-start="3187" data-end="3359">Users might have bought them thinking they were getting something from brands like Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, or Night OWL. That’s just to name a few.</p>
<p data-start="3361" data-end="3596">Trying to figure out whether a patch exists—or if the vendor even still supports the model—is often a dead end. TBK Vision hasn’t publicly confirmed if updates are out. BleepingComputer reached out, but there&#8217;s still no word from them.</p>
<p data-start="3598" data-end="3624">So, what are we left with?</p>
<div class="_tableContainer_16hzy_1">
<div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1">
<table class="w-fit min-w-(--thread-content-width)" data-start="3626" data-end="4178">
<thead data-start="3626" data-end="3704">
<tr data-start="3626" data-end="3704">
<th data-start="3626" data-end="3648" data-col-size="sm">DVR Brand Alias</th>
<th data-start="3648" data-end="3671" data-col-size="sm">Based on TBK Models?</th>
<th data-start="3671" data-end="3704" data-col-size="sm">Patch Availability Confirmed?</th>
</tr>
</thead>
<tbody data-start="3784" data-end="4178">
<tr data-start="3784" data-end="3862">
<td data-start="3784" data-end="3806" data-col-size="sm">CeNova</td>
<td data-start="3806" data-end="3829" data-col-size="sm">Yes</td>
<td data-start="3829" data-end="3862" data-col-size="sm">Unknown</td>
</tr>
<tr data-start="3863" data-end="3941">
<td data-start="3863" data-end="3885" data-col-size="sm">QSee</td>
<td data-start="3885" data-end="3908" data-col-size="sm">Yes</td>
<td data-start="3908" data-end="3941" data-col-size="sm">Unknown</td>
</tr>
<tr data-start="3942" data-end="4020">
<td data-start="3942" data-end="3964" data-col-size="sm">Night OWL</td>
<td data-start="3964" data-end="3987" data-col-size="sm">Yes</td>
<td data-start="3987" data-end="4020" data-col-size="sm">Unconfirmed</td>
</tr>
<tr data-start="4021" data-end="4099">
<td data-start="4021" data-end="4043" data-col-size="sm">Pulnix</td>
<td data-start="4043" data-end="4066" data-col-size="sm">Yes</td>
<td data-start="4066" data-end="4099" data-col-size="sm">Unknown</td>
</tr>
<tr data-start="4100" data-end="4178">
<td data-start="4100" data-end="4122" data-col-size="sm">Securus</td>
<td data-start="4122" data-end="4145" data-col-size="sm">Yes</td>
<td data-start="4145" data-end="4178" data-col-size="sm">No official comment</td>
</tr>
</tbody>
</table>
<div class="sticky end-(--thread-content-margin) h-0 self-end select-none">
<div></div>
<div class="absolute end-0 flex items-end">This leaves thousands of consumers and small businesses hanging with potentially compromised devices.</div>
</div>
</div>
</div>
<h2 data-start="4283" data-end="4329">Researchers Say This Isn’t an Isolated Case</h2>
<p data-start="4331" data-end="4604">Netsecfish hasn’t been quiet this year. The same researcher previously uncovered backdoor accounts and command injection bugs affecting thousands of end-of-life (EoL) D-Link routers. Those flaws, too, were scooped up by attackers almost immediately after public disclosure.</p>
<p data-start="4606" data-end="4791">There’s a pattern here—malware authors are watching GitHub and security blogs like hawks. The window between a vulnerability disclosure and active exploitation has practically vanished.</p>
<p data-start="4875" data-end="5092">The Mirai variant currently in use is performing the usual environment checks before deploying itself—avoiding sandboxes, seeking persistence, and ensuring its architecture matches. Nothing fancy, but still effective.</p>
<h2 data-start="5094" data-end="5147">No Clear Path to Protection, But One Harsh Reality</h2>
<p data-start="5149" data-end="5325">The sad part? Most people who own these DVRs probably won’t ever know they’re vulnerable. They’re low-maintenance devices, and unless something breaks, no one logs in to check.</p>
<p data-start="5327" data-end="5471">Meanwhile, attackers keep expanding their control. The botnet doesn’t need thousands of new nodes every day—just enough to keep attacks rolling.</p>
<p data-start="5473" data-end="5616">Even more concerning: the DDoS-for-hire market thrives on this kind of silent compromise. For a few bucks, anyone can rent a part of the swarm.</p>

Sony Hints at Potential PS Plus Price Tweaks to Boost Profit Margins
Google Blames API Mishap for Global Cloud Outage That Disrupted Billions of Requests
Selena Gomez Shares Tearful Birthday Tribute to Sister Gracie, Reveals Her Adorable Taylor Swift Obsession
Dogecoin Drops 9% After SEC Delays Bitwise DOGE ETF Decision
OpenAI Slashes ChatGPT o3 API Prices by 80% Without Hurting Performance
Apple and LEGO Show How Focus Beats Diversification
Atari’s Rollercoaster: From Pong Glory to Desert Burial
Kim Soo Hyun and Kim Sae Ron Controversy Sparks Over 10 Police Investigations Amid Legal Showdown
Joe Biden Diagnosed With Aggressive Prostate Cancer That Has Spread to Bones
Budget Friendly Ways to Stop Hair Loss Naturally
-
News4 months agoTaiwanese Companies Targeted in Phishing Campaign Using Winos 4.0 Malware
-
News2 months agoJustin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
-
News4 months agoApple Shuts Down ADP for UK iCloud Users Amid Government Backdoor Demands
