“NexusCorp Has Taken Control”: Inside the Shadowy Takeover of Security Cameras by Nexcorium Botnet

It starts with a flicker on a security monitor - a cryptic message: “NexusCorp has taken control.” What looks like a prank is actually the calling card of a sophisticated cybercriminal crew, signaling that your once-innocuous digital video recorder (DVR) is now a weapon in someone else’s cyber arsenal. In the ongoing arms race between hackers and defenders, the emergence of the Nexcorium malware marks a chilling new chapter.

Anatomy of a Modern Botnet Takeover

The Nexcorium campaign, uncovered by Fortinet’s FortiGuard Labs, represents a calculated strike against one of the weakest links in the Internet of Things (IoT) ecosystem: digital video recorders that power security cameras. These devices, often neglected after installation and rarely updated, present a soft target for attackers. By leveraging the CVE-2024-3721 command injection flaw, hackers can remotely execute code, bypassing security to seize control of the device.

Once inside, Nexcorium doesn’t just settle in - it multiplies. The malware copies itself to multiple folders and schedules automatic tasks, ensuring it survives reboots and attempts at removal. To evade detection, it scrubs its original traces, making forensic analysis difficult. Its most insidious feature, however, is its ambition: after infecting one DVR, Nexcorium scans local networks, hammering away at other devices using a laundry list of common default passwords like “admin123” and “12345.”

Infected devices are then marshaled into a botnet - a vast, distributed army of compromised gadgets. The primary objective: launch Distributed Denial of Service (DDoS) attacks, overwhelming websites and online services with traffic until they collapse under the strain. The malware’s multi-architecture design means it can operate across different hardware, amplifying its reach and threat profile. Nexcorium also exploits older vulnerabilities, such as CVE-2017-17215, further demonstrating the enduring danger of unpatched systems.

What sets this campaign apart is the brazen signature left by the hackers. The Nexus Team, and a coder known as “Erratic,” leave their mark in the malware’s code and the system messages displayed on compromised devices - a rare move that taunts both victims and security professionals.

Why It Matters

Experts warn that automated vulnerability scans alone aren’t enough. As Trey Ford of Bugcrowd points out, true defense requires “continuous adversarial testing” that anticipates the creative chaining and exploitation tactics used by real attackers. Organizations must not only update their devices and change default passwords but also rethink which assets are truly “out of scope.” In the era of Nexcorium, even a forgotten security camera can become a launchpad for global cyber disruption.

Reflecting on the New Normal

The Nexcorium outbreak is a wake-up call: the security of our digital infrastructure is only as strong as its weakest device. As IoT networks sprawl and attackers grow bolder, vigilance, proactive patching, and a willingness to test every digital nook and cranny are the only ways to keep the shadows at bay.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• DDoS (Distributed Denial of Service): A DDoS attack overwhelms a website or service with excessive traffic, disrupting normal operations and making it unavailable to real users.
• IoT (Internet of Things): IoT (Internet of Things) are everyday devices, like smart appliances or sensors, connected to the internet - often making them targets for cyberattacks.
• Brute: A brute-force attack is an automated hacking method where attackers try many passwords or keys until they find the correct one to gain unauthorized access.
• Command injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.