The newly identified Mirai-based Broadside botnet has been targeting vulnerable digital video recorder (DVR) products from TBK Vision in a campaign that could pose a significant threat to the maritime logistics sector, Cydome reports.
The Broadside malware infects TBK DVR devices impacted by CVE-2024-3721, an OS command injection flaw that can be exploited remotely for arbitrary code execution.
The insufficient validation of user-supplied input allows remote, unauthenticated attackers to execute arbitrary code via crafted HTTP requests.
While the flaw was identified on TBK DVR-4104 and DVR-4216 devices, TBK’s models are rebranded and sold under other names as well, including CeNova, HVR Login, Night Owl, Novo, Pulnix, QSee, and Securus.
The security defect was publicly disclosed in April 2024, when proof-of-concept (PoC) code targeting it was already available.
By mid-2025, multiple botnets capable of launching distributed denial-of-service (DDoS) had already been exploiting the flaw.
Kaspersky said in early June that there had been over 50,000 exposed DVR devices, with infections in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
A few weeks later, Fortinet warned of a surge in exploitation attempts, attributed to the Condi, Fodcha, Mirai, and Unstable botnets.
Now, Cydome says the Broadside botnet has joined the fray, targeting vulnerable devices to execute a mass loader script directly into their memory.
The loader blindly attempts to fetch and run payloads targeting all supported architectures, executes the malware in memory, and removes artifacts from the disk to evade detection.
The same as other Mirai offsprings, the Broadside botnet has DDoS capabilities, via UDP flooding, but employs a custom command-and-control (C&C) protocol, and uses Netlink kernel sockets for process monitoring.
Cydome also observed the malware attempting to harvest system credential files, likely for lateral movement into the compromised network.
Additionally, Broadside has a process killer module that attempts to maintain control over the device by terminating processes that match specific patterns, fail checks, or are considered hostile.
The cybersecurity firm underlines the threat the new campaign poses to shipping companies, as the targeted DVRs are typically used on vessels.
Thus, the infected devices could be used to tap into CCTV feeds for a vessel’s bridge, cargo holds, and engine room, to flood a ship’s satellite communication, or move laterally to critical OT systems on the ship.
Related: Aisuru Botnet Powers Record DDoS Attack Peaking at 29 Tbps
Related: RondoDox Botnet Takes ‘Exploit Shotgun’ Approach
Related: Mirai Botnets Exploiting Wazuh Security Platform Vulnerability
Related: TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks
