A sophisticated new variant of the Mirai botnet, named “Broadside,” has emerged as an active threat targeting maritime shipping companies and vessel operators.
The malware exploits a critical vulnerability in TBK Digital Video Recorder (DVR) devices used for security monitoring on cargo ships and maritime logistics vessels.
This discovery marks a significant shift in how modern botnet attacks operate, moving beyond simple denial-of-service campaigns to include advanced credential harvesting and lateral movement tactics.
The Broadside campaign began gaining momentum in recent months, with Cydome security analysts tracking multiple active infrastructure components.
The botnet demonstrates a level of sophistication rarely seen in updated Mirai variants, incorporating custom command-and-control protocols and advanced persistence mechanisms specifically designed to evade detection.
.webp "New Mirai Botnet Variant 'Broadside' Actively Attacking Users in the Wild 2")
Unlike earlier Mirai versions that relied on standard communication methods, Broadside employs a unique “Magic Header” signature (0x36694201) hardcoded into every control packet, enabling secure communication while remaining difficult to detect through conventional network monitoring, as noted by Cydome researchers.
Attack Vector
The initial attack vector exploits CVE-2024-3721, a critical remote command-injection vulnerability in/device.rsp endpoint of TBK DVR systems.
.webp "New Mirai Botnet Variant 'Broadside' Actively Attacking Users in the Wild 4")
Attackers send specially crafted HTTP POST requests to deploy a loader script that downloads the malware binary across multiple processor architectures, including ARM, MIPS, x86, and PowerPC variants.
Once executed, the malware immediately removes itself from disk and resides entirely in memory to avoid detection by file-based security tools.
Cydome security analysts and researchers identified that Broadside uses two distinct process-monitoring methods.
The malware first attempts to enable “Smart Mode,” which uses Netlink kernel sockets to receive real-time system notifications about process activity.
This approach minimizes CPU overhead and allows the bot to operate stealthily. If kernel restrictions prevent this method, Broadside switches to “Panic Mode,” aggressively scanning the /proc directory every 0.1 seconds to identify competing processes or security tools.
This dual-mode approach ensures the malware maintains persistent control over infected systems regardless of system configuration.
The malware’s process-killer module, which the researchers dubbed the “Judge, Jury, and Executioner,” actively hunts down competing malware and potential security tools, terminating any processes that match specific patterns or fail internal validation checks.
The module maintains both whitelist and blacklist mechanisms in memory, allowing it to quickly eliminate threats without rescanning the entire system.
Additionally, Broadside harvests credential files during initialization by accessing /etc / passwd and /etc / shadow to enumerate local accounts and prepare for privilege escalation and lateral movement.
Once established on a compromised DVR, Broadside launches high-rate UDP flood attacks that can saturate maritime satellite communication networks.
The attack module opens up to 32 simultaneous UDP sockets with randomized source ports and implements payload polymorphism, subtly altering packet headers to defeat static signature-based detection systems.
The DDoS functionality never terminates naturally; it continuously adapts its timing profiles until the infected system is shut down or the process is forcibly terminated.
The operational impact on maritime vessels extends beyond simple network disruption. Compromised DVRs typically manage critical CCTV feeds for the ship’s bridge, engine room, and cargo holds.
System degradation or compromise could blind crews to physical security incidents, while intensive DDoS activity could saturate limited satellite uplinks.
In networks with a flat architecture, compromised CCTV systems provide attackers with footholds to pivot to more sensitive shipboard operational systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
