☣️ Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

｢ The attack activity outlined by Fortinet involves the exploitation of CVE-2024-3721 to obtain and drop a downloader script, which then launches the botnet payload based on the Linux system's architecture. Once the malware is executed, it displays a message stating "nexuscorp has taken control." ｣

https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html

#iot #ddos #botnet #cybersecurity

📰 Stealthy 'PowMix' Botnet Targets Czech Workforce with Evasive C2 Communications

Cisco Talos uncovers 'PowMix,' a new botnet targeting the Czech Republic. Uses randomized C2 beaconing and embeds data in URL paths to evade detection. 🇨🇿 #Botnet #PowMix #Malware #ThreatIntel #CiscoTalos

🔗 https://cyber.netsecops.io/articles/stealthy-powmix-botnet-targets-czech-republic-workforce/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

📢⚠️ #Nexcorium, a new Mirai-based malware, is targeting DVR devices to turn them into a botnet for DDoS attacks worldwide.

Read: https://hackread.com/mirai-variant-nexcorium-dvr-devices-ddos-attacks/

#CyberSecurity #Mirai #DDoS #Malware #Botnet

A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy Mirai-like botnet malware, specifically variants associated with the Condi IoT botnet. Through firmware emulation and reverse engineering, researchers confirmed the vulnerability exists but discovered that successful exploitation requires authentication. The in-the-wild attacks contained critical flaws: they targeted the wrong parameter (ssid instead of ssid1), lacked authentication, and relied on utilities not present in the router firmware. The command injection vulnerability in the WlanNetworkRpm endpoint allows remote attackers to execute arbitrary commands when authenticated. The malware establishes C2 communication and propagates across architectures. TP-Link confirmed affected devices are end-of-life with no patc...

Pulse ID: 69e1f0ddb1aa33b71576ca92
Pulse Link: https://otx.alienvault.com/pulse/69e1f0ddb1aa33b71576ca92
Pulse Author: AlienVault
Created: 2026-04-17 08:35:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CISA #CyberSecurity #Endpoint #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #Vulnerability #bot #botnet #AlienVault

New.

Google Threat Intelligence and Mandiant: Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities

Cisco: PowMix botnet targets Czech workforce https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/ @TalosSecurity

Barracuda Threat Spotlight: Tycoon 2FA didn’t die — it’s scattered everywhere https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere

Abnormal Security: AI Meets Voice Phishing: How ATHR Automates the Full TOAD Attack Chain https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks #Google #infosec #LLM #threatintel #threatintelligence #botnet #phishing

1 TB of proxies, bro.
Promise this is legit, bro.
Just sign up, bro.
We power proxies for about 10k teams, bro.
2.6M owned IPs, bro.
No credit card, bro.
I know the email address looks sketchy, bro.
It's definitely legit, bro.
You'll see the 1TB, bro.

#InfoSec #BotNet #Proxy #Bro

CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace

Three days after disclosure of a critical pre-authorization remote code execution vulnerability in the marimo Python notebook platform, multiple threat actors deployed malware hosted on HuggingFace Spaces. A previously undocumented NKAbuse variant was delivered through a typosquatted HuggingFace Space, utilizing NKN blockchain for command and control. Between April 11-14, 2026, eleven unique source IPs across ten countries generated 662 exploit events. Attack patterns included reverse shell campaigns, credential extraction targeting AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases via leaked credentials. The malware binary was disguised as a legitimate Kubernetes tool named kagent and implemented persistence through systemd services, crontab entries, and macOS LaunchAgents. This operation demonstrates threat actors specifically targeting AI/ML infrastructure and leveraging trusted platforms for malware distribution.

Pulse ID: 69e09f9d80e986921250a6f3
Pulse Link: https://otx.alienvault.com/pulse/69e09f9d80e986921250a6f3
Pulse Author: AlienVault
Created: 2026-04-16 08:36:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #BlockChain #CyberSecurity #DNS #InfoSec #Mac #MacOS #Malware #NKAbuse #OTX #OpenThreatExchange #PostgreSQL #Python #RAT #RCE #Redis #RemoteCodeExecution #Rust #SQL #Vulnerability #bot #botnet #AlienVault

²Aktuell wird eine Angriffswelle beobachtet, die laut Experten ihresgleichen sucht. Die Kampagne operiert unter den Namen Redheberg und umfasst laut dem österreichischen Security-Spezialisten Risikomonitor bereits rund 80'000 Geräte in 91 Ländern. Weiter kämen aktuell rund 2000 Geräte pro Tag hinzu."

https://www.itmagazine.ch/artikel/86960/Riesige_Botnet-Kampagne_2000_neu_kompromittierte_Geraete_taeglich.html

#cybersecurity #botnet #router

A Qrator Labs report shows DDoS attacks scaling fast, with a 13.5M-device botnet now capable of launching 2 Tbps attacks. FinTech and betting sectors remain top targets.

Read: https://hackread.com/botnet-device-drives-2-tbps-ddos-attacks-fintech/

#DDoS #CyberSecurity #FinTech #Botnet #CyberAttack

Q1 2026 Malware Statistics Report for Linux SSH Servers

Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy tools on compromised systems, attributed to a suspected Chinese threat actor. Attackers employed SSH brute-force techniques to gain access, executed reconnaissance commands to assess system information, and deployed V2Ray for proxy node operations. The campaign targeted poorly secured SSH servers with weak credentials, emphasizing the need for strong password policies, access controls, and network monitoring to detect unusual outbound connections and proxy-related activities.

Pulse ID: 69de00c30406a5cbb6ba9eef
Pulse Link: https://otx.alienvault.com/pulse/69de00c30406a5cbb6ba9eef
Pulse Author: AlienVault
Created: 2026-04-14 08:54:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CoinMiner #CyberSecurity #DDoS #DoS #ICS #InfoSec #Linux #Malware #Mirai #OTX #OpenThreatExchange #Password #Proxy #RAT #RCE #SSH #Word #Worm #bot #botnet #AlienVault