New Mirai variants target routers and DVRs in parallel campaigns

Hidden inside newly discovered botnet malware is an unusual message from its creator: “AI.NEEDS.TO.DIE”.

Dubbed “tuxnokill” by researchers at Akamai, the malware is one of two fresh Mirai botnet variants documented this month by major cybersecurity firms and, judging by the aforementioned hard-coded string, this particular variant might have been coded the old-fashioned way.

“Tuxnokill” and “Nexcorium”

Based on hits on the company’s global network of honeypots, Akamai found that tuxnokill is spreading through CVE-2025-29635, a command injection flaw in D-Link DIR-823X routers that sat unexploited for a full year after its disclosure in March 2025.

“A public proof of concept (PoC) exploit was shared by the researchers to GitHub and linked to the CVE disclosure, but has since been removed,” the researchers noted. The exploit used by the attacker presents key differences, but targets the same vulnerable code path and triggers the same system() call.

The same threat actor was also observed probing TP-Link Archer AX21 devices via CVE-2023-1389 and ZTE ZXV10 H108L routers with a publicly available exploit.

Meanwhile, Fortinet’s FortiGuard Labs detailed a parallel campaign by a group calling itself “Nexus Team,” which has been targeting TBK digital video recorders (DVNs) via CVE-2024-3721.

Their malware, called “Nexcorium”, is more sophisticated. Like “tuxnokill”, it targets multiple Linux architectures, but it also makes sure to hold on the compromised systems via four separate persistance mechanisms.

“It updates /etc/inittab to make sure the process restarts if it stops. It creates or updates /etc/rc.local to ensure execution at system startup. It then checks common system paths (e.g., /bin/systemctl, /usr/bin/systemctl, and /etc/system/system) and creates a service file at /etc/systemd/system/persist.service, enabling it to run automatically at startup,” the researchers explained.

Finally, it creates a scheduled task using crontab to ensure it runs after reboot. And, after doing all that, it deletes its original binary from the current execution path to evade and frustrate analysis.

The malware is capable of making the compromised devices engage in DDoS attacks via multiple attack methods. And, interestingly, it comes bundled with an exploit targeting older Huawei devices via CVE-2017-17215.

IoT’s endless security problem

Both campaigns follow the well-known and effective playbook: exploit known vulnerabilities in cheap, unsupported, unpatched IoT hardware, covertly conscript them into a botnet, and then use those botnets to launch DDoS attacks.

“Especially when public PoC exploits exist for these vulnerabilities, attackers can easily incorporate them into their exploitation vectors,” Akamai researchers noted.

Unfortunately, end-of-life devices, slow patching cycles, and default credentials continue to hand botnet operators an easy path into home and business networks worldwide.

Both companies have shared indicators of compromise and detection rules.

“We highly recommend that organizations regularly monitor vulnerability disclosures that are relevant to their infrastructure, and apply the proper patches, upgrades, and safeguards to ensure their own operational security,” Akamai advised.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!