New Mirai variants hit routers and DVRs in dual campaigns
▼ Summary
– A new Mirai botnet variant called “tuxnokill” contains the hard-coded message “AI.NEEDS.TO.DIE” and exploits a command injection flaw in D-Link DIR-823X routers.
– “Tuxnokill” spreads through CVE-2025-29635, a vulnerability that remained unpatched for a year after its disclosure, using a modified exploit targeting the same code path.
– A second botnet variant named “Nexcorium” by the “Nexus Team” targets TBK digital video recorders via CVE-2024-3721 and uses four persistence mechanisms, including systemd and crontab.
– “Nexcorium” deletes its original binary after installation and bundles an exploit for older Huawei devices via CVE-2017-17215.
– Both campaigns exploit known vulnerabilities in unpatched IoT devices, highlighting ongoing security issues with end-of-life hardware and slow patching cycles.
Researchers at Akamai have uncovered a new Mirai botnet variant called “tuxnokill,” which carries a striking embedded message from its creator: “AI.NEEDS.TO.DIE.” This discovery, alongside a separate campaign detailed by Fortinet’s FortiGuard Labs, highlights the persistent threat posed by IoT botnet malware targeting vulnerable hardware.
Two New Mirai Variants Emerge
Akamai’s analysis reveals that tuxnokill is actively spreading by exploiting CVE-2025-29635, a command injection vulnerability affecting D-Link DIR-823X routers. This flaw remained unpatched for a full year after its disclosure in March 2025. The researchers noted that while a public proof of concept (PoC) exploit was initially shared on GitHub and linked to the CVE, it has since been removed. The attacker’s exploit differs in approach but targets the same vulnerable code path and triggers the same system() call.
The same threat actor has also been observed probing TP-Link Archer AX21 devices via CVE-2023-1389 and ZTE ZXV10 H108L routers using a publicly available exploit.
In a parallel effort, Fortinet’s FortiGuard Labs identified a campaign by a group calling itself “Nexus Team,” which targets TBK digital video recorders (DVRs) via CVE-2024-3721. Their malware, dubbed “Nexcorium,” is more advanced. Like tuxnokill, it supports multiple Linux architectures, but it also employs four separate persistence mechanisms to maintain control over compromised devices.
“It updates /etc/inittab to make sure the process restarts if it stops. It creates or updates /etc/rc.local to ensure execution at system startup. It then checks common system paths (e.g., /bin/systemctl, /usr/bin/systemctl, and /etc/system/system) and creates a service file at /etc/systemd/system/persist.service, enabling it to run automatically at startup,” the researchers explained. Finally, it adds a scheduled task via crontab to ensure execution after reboot. Once all persistence measures are in place, it deletes its original binary from the current execution path to hinder analysis.
Nexcorium can launch DDoS attacks using multiple methods and, notably, includes an exploit targeting older Huawei devices via CVE-2017-17215.
The Endless IoT Security Problem
Both campaigns follow a familiar and effective playbook: exploit known vulnerabilities in cheap, unsupported, or unpatched IoT hardware, covertly conscript them into a botnet, and use those botnets for DDoS attacks. “Especially when public PoC exploits exist for these vulnerabilities, attackers can easily incorporate them into their exploitation vectors,” Akamai researchers noted.
Unfortunately, end-of-life devices, slow patching cycles, and default credentials continue to give botnet operators an easy path into home and business networks worldwide. Both companies have shared indicators of compromise (IOCs) and detection rules.
“We highly recommend that organizations regularly monitor vulnerability disclosures that are relevant to their infrastructure, and apply the proper patches, upgrades, and safeguards to ensure their own operational security,” Akamai advised.
(Source: Help Net Security)