New Mirai Botnet Variant Exploits TVT DVRs to Gain Admin Control

GreyNoise has noted a sharp escalation in hacking attempts targeting TVT NVMS9000 Digital Video Recorders (DVRs).

The surge in malicious activity, peaking on April 3, 2025, with over 2,500 unique IP addresses, suggests a new variant of the notorious Mirai botnet is at play, exploiting an information disclosure vulnerability to seize administrative control over these systems.

Surge in Exploitation Attempts

The recent exploitation campaign, identified by GreyNoise, commenced on March 31, 2025.

– Advertisement –

Initially, the number of unique IP addresses trying to exploit the NVMS9000 DVR was relatively low, but it escalated rapidly, with over 6,600 IPs attempting to breach the system in the past month.

This spike is three times the usual activity levels, indicating a concerted effort by cybercriminals to expand the Mirai botnet’s reach.

Geographical Focus of the Attacks

The majority of these malicious IPs originate from the Asia-Pacific (APAC) region. Taiwan leads with 3,637 IPs, followed by Japan (809 IPs) and South Korea (542 IPs).

Interestingly, the top destinations for these attacks are Western countries, with the United States being the primary target (6,471 IPs), followed by the United Kingdom (5,738 IPs) and Germany (5,713 IPs).

This geographical targeting pattern suggests an organized, potentially state-sponsored or at least large-scale, operation.

According to the Report, GreyNoise’s analysis confirms that all IPs targeting this vulnerability are malicious and non-spoofable, emphasizing the need for immediate defensive actions by users of TVT NVMS9000 DVRs.

Security measures should include:

• Patching: Immediate application of all available security patches to the DVR systems to close the exploited vulnerability.
• Access Restrictions: Limiting internet access to DVR interfaces to prevent remote exploitation.
• Network Monitoring: Vigilant monitoring of network traffic for signs of scanning or anomalies indicative of exploitation attempts.

TVT Digital Technology Co., Ltd., based in Shenzhen, provides DVRs like the NVMS9000 for extensive security and surveillance needs, serving over 120 countries.

The widespread use of these systems makes the exploitation attempt a significant threat, potentially allowing attackers full administrative control over crucial security infrastructure.

This latest activity by the Mirai botnet variant not only showcases the persistent vulnerability in IoT devices but also underscores the necessity for robust cybersecurity practices in enterprise environments.

Organizations relying on internet-connected security equipment must prioritize patching and network security to thwart these sophisticated cyber threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!