the threat gazette
Afternoon Update 2026-04-17
Intraday Update
Malware

Nexcorium Mirai Variant Actively Exploiting IoT DVR and Router Vulnerabilities at Scale

CVE-2017-17215 CVE-2024-3721

Fortinet's FortiGuard Labs is tracking Nexcorium, a Mirai botnet variant conducting active exploitation against TBK DVR-4104/4216 devices via CVE-2024-3721 (EPSS 0.839) and Huawei HG532 routers via CVE-2017-17215 (EPSS 0.927, public exploit at EDB-43414). Both CVEs carry high EPSS scores reflecting genuine ongoing exploitation at scale rather than theoretical risk. The campaign follows the standard Mirai playbook — exploit unpatched consumer and SMB-grade IoT gear, grow C2-connected botnet capacity, and leverage for DDoS or secondary payload staging. No KEV listing for either CVE, though the exploitation signals are unambiguous.

CVE-2017-17215 being weaponized in 2026 — nine years post-disclosure — is the clearest possible illustration of the IoT patch debt problem. The EPSS 0.927 reflects sustained real-world exploitation, not decay. Ranking's 'critical' severity overstates direct financial institution relevance given the narrow exposure path (TBK DVRs, Huawei CPE); the actual threat surface is the botnet's DDoS capacity against edge infrastructure, not direct compromise of enterprise assets. Downgraded to notable accordingly.

Second Mirai-family disclosure in the same day (after this morning's Unit 42 TP-Link write-up on story 5374) — the pattern is consistent: unpatchable consumer/SMB gear powering DDoS-capable capacity against edge infrastructure and hosting providers. CVE-2017-17215 live in 2026 is the nine-year tail of the Huawei HG532 problem that drove the original Mirai successors. Treat as vendor-risk and supplier-network exposure, not direct enterprise compromise.

2026-04-17
1 source
+ CVE-2017-17215 · + CVE-2024-3721
Fortinet Threat Research Blog

Editorial

The 3AM/Payouts King QEMU reverse-SSH backdoor is the second in-victim QEMU staging pattern in 48 hours after Sophos's GOLD ENCOUNTER write-up, and two independent affiliates adopting the same hypervisor-blind guest-execution trick inside two days is tradecraft convergence rather than coincidence. Chained with a KEV'd SolarWinds WHD foothold (CVE-2025-26399) and a fully productized post-access stack — BloodHound, Impacket, Havoc, ConnectWise RMM, Rclone — this is now a repeatable kill chain that any EDR deployment terminating at the host OS boundary cannot see the back half of. Treat guest-VM-inside-managed-endpoint as an assumed TTP in IR runbooks this week, not a research curiosity.

DomainTools' consolidation of Homeland Justice, KarmaBelow80, and Handala under a single MOIS-aligned cluster (MOIST GRASSHOPPER / Banished Kitten overlap, 38-technique ATT&CK map including disk-wipe and encryption-for-impact) is a threat-model upgrade rather than an attribution cleanup — directed Iranian destructive capability wearing hacktivist branding should be the working assumption for any financial-sector exposure to Israel, Albania, or Gulf counterparty networks. Meanwhile NIST's selective-enrichment announcement today formally codifies the NVD retreat we flagged twice this week; the story moves from capacity posture to written policy, so commercial feeds plus EPSS are now the de facto authoritative vulnerability layer and budget conversations should reflect that. Fortinet's Nexcorium write-up (TBK DVR CVE-2024-3721, Huawei HG532 CVE-2017-17215) arriving within 24 hours of the TP-Link Mirai scanning confirms the consumer-IoT-to-DDoS pipeline is running at weekly operational tempo — the estate exposure remains indirect, but edge and DDoS-mitigation contracts deserve a second look.

Notable

Geopolitical

DomainTools Unifies Homeland Justice, Karma, and Handala Under Single MOIS Cyber Operations Unit

Banished Kitten T1003.001 T1005 T1018 T1021 T1021.001 T1021.002 T1036 T1041 T1059 T1059.001 T1069 T1070 T1071.001 T1078 T1087 T1102 T1105 T1113 T1114.002 T1123 T1190 T1204 T1218 T1218.011 T1485 T1486 T1490 T1505.003 T1547 T1555 T1561 T1561.001 T1562 T1566 T1583.001 T1583.003 T1585.001 T1608 SDelete Wiper reGeorg

DomainTools Investigations has published a high-confidence longitudinal analysis — drawing on U.S. government reporting, passive DNS, infrastructure enrichment, and archived Telegram content — concluding that Homeland Justice, KarmaBelow80, and Handala are not discrete hacktivist groups but coordinated fronts for a single MOIS-aligned cyber influence operation attributed to the MOIST GRASSHOPPER cluster (overlapping with Banished Kitten). The 38-technique ATT&CK mapping documents a destructive capability set alongside espionage: T1485 (Data Destruction), T1486 (Data Encrypted for Impact), T1561.001 (Disk Content Wipe), T1490 (Inhibit System Recovery), web shell deployment via reGeorg, and credential harvesting via T1003.001. Primary targeting has been government, judiciary, telecom, and critical infrastructure.

Consolidating three previously-distinct hacktivist fronts under a single MOIS operational umbrella upgrades the threat model substantially — what looked like opportunistic hacktivism was directed state capability with information operations layered on top. The presence of disk wipe and encryption-for-impact techniques alongside the hacktivist branding is consistent with destructive intent masked as ideological action, a pattern documented across Iranian MOIS operations going back to Shamoon. Geopolitical escalation in the Middle East has historically correlated with elevated operational tempo from this cluster; the current environment warrants that context.

The destructive toolkit alongside the hacktivist front is a Shamoon-era MOIS signature — ideological branding grafted onto wiper operations to provide deniability and strategic ambiguity. With current Middle East geopolitical tempo, this cluster's operational rhythm historically spikes alongside regional escalation; worth tracking for spillover into financial-services supply chains with Israeli or Gulf exposure.

Ransomware

3AM/Payouts King Ransomware Integrates QEMU Hypervisor Evasion as Standard Kill Chain Component

CVE-2025-26399 3AM Ransomware BloodHound ConnectWise Havoc Impacket LoudMiner Quick Assist Rclone

The Payouts King ransomware group, linked to 3AM Ransomware, is deploying QEMU as a reverse SSH backdoor to run payloads inside hidden virtual machines, bypassing endpoint detection tools that lack hypervisor-layer visibility. The technique mirrors LoudMiner's QEMU-based cryptomining evasion (also listed in the software set here) and prior usage in other ransomware campaigns — this is operationalized adoption, not invention. The broader kill chain is noteworthy: BloodHound for AD enumeration, Impacket, Havoc C2, ConnectWise RMM abuse, and Rclone for exfiltration. SolarWinds Web Help Desk (CVE-2025-26399, in KEV, EPSS 0.322) appears as an initial access vector; the KEV remediation deadline of 2026-03-12 has already passed.

Endpoint solutions that enumerate only user-space processes will miss payloads running inside QEMU guests — that's the actual detection gap this technique exploits. The QEMU technique is not new but its integration alongside ConnectWise RMM abuse and BloodHound-based recon indicates a mature operator building a detection-resistant pipeline rather than a script kiddie. The SolarWinds WHD KEV vector is the more immediately actionable concern: if CVE-2025-26399 is unpatched in your environment past the March deadline, that's the priority.

QEMU-for-evasion was pioneered by LoudMiner in 2019 and reused by Akira in 2024; its integration into a named ransomware kill chain alongside BloodHound, Impacket, Havoc, and RMM abuse signals the technique has crossed from curiosity to playbook. Detection engineering implication: hypervisor-layer visibility and unauthorised-QEMU-process hunts stop being edge cases. The SolarWinds WHD KEV entry here is a reminder that the initial-access half of this chain is still unremarkable known-CVE territory.

Vulnerabilities

NIST Formally Scales Back NVD Enrichment as CVE Volume Overwhelms Program

CVE-2026-22666 CVE-2026-33032 CVE-2026-40478 APT28 Black Basta Lazarus Group Qilin Scattered Spider UAC-0247 UNC2465 Black Basta Conficker Milan Qilin SMOKEDHAM UPPERCUT

NIST has formalized a policy of reduced enrichment for the majority of CVEs submitted to the National Vulnerability Database, a structural change that will degrade the quality and timeliness of NVD metadata — CVSS scores, CPE mappings, CWE classifications — across the ecosystem. This has been building since early 2024 when enrichment backlogs became publicly visible; this announcement formalizes the retreat rather than representing a new development. The seven threat actors and low-EPSS CVEs (CVE-2026-22666 at 0.00151, CVE-2026-33032 at 0.0006) associated with this story are incidental context from the Risky Business newsletter roundup and are not analytically connected to the NVD policy change itself.

This matters structurally, not as a single event. Every vulnerability management program that ingests NVD data for CVSS scoring, CPE-based asset matching, or CWE classification is now operating on a foundation that will widen its gaps over time. The burden shifts to commercial intel feeds, vendor advisories, and EPSS as the enrichment layer that NVD was supposed to provide. Teams should audit their vuln prioritization pipelines for NVD dependency and validate fallback logic before the degradation becomes operationally visible.

Formalisation of the retreat the morning bulletin covered under the 263%-surge framing (story 5506) — same development, now policy rather than capacity excuse. Audit action is unchanged: inventory which prioritisation, scanner, and SBOM pipelines depend on NVD CVSS/CPE/CWE enrichment and validate that commercial-feed or EPSS fallback logic actually fires. Ignore the actor and CVE delta signals the pipeline has attached via the Risky Business newsletter cross-match; they are enrichment noise.

Briefs