A new Mirai-based malware campaign is actively exploiting a high-severity command injection vulnerability (CVE-2025-29635) in discontinued D-Link DIR-823X routers to recruit devices into a botnet.

Entities

D-LinkMiraituxnokillNexcorium

Score total

1.3

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

Exploitation began about a year after public disclosure, showing delayed but active attacks.
New Mirai variants discovered this month indicate active botnet campaign evolution.
Recent honeypot data confirms ongoing spread of these malware strains.

Why it matters

Legacy devices remain vulnerable long after end-of-life, enabling botnet growth.
Mirai variants continue evolving, targeting multiple device types via old flaws.
Unpatched routers and DVRs pose ongoing risks to network security.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

Mirai botnet is exploiting a command injection vulnerability (CVE-2025-29635) in discontinued D-Link DIR-823X routers to recruit devices.
Two new Mirai variants, tuxnokill and Nexcorium, are spreading through old vulnerabilities targeting routers and DVRs.

How sources frame it

BleepingComputer: neutral
SecurityWeek: neutral
Help Net Security: neutral

All evidence

New Mirai campaign exploits RCE flaw in EoL D-Link routers

bleepingcomputer_all · bleepingcomputer.com · 2026-04-22 20:04 UTC

New Mirai variants target routers and DVRs in parallel campaigns

Help Net Security · helpnetsecurity.com · 2026-04-22 13:24 UTC

Mirai Botnet Targets Flaw in Discontinued D-Link Routers

SecurityWeek · securityweek.com · 2026-04-22 11:44 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 3 / 0

Top publishers (this list)

bleepingcomputer_all (1)
Help Net Security (1)
SecurityWeek (1)

Top origin domains (this list)

bleepingcomputer.com (1)
helpnetsecurity.com (1)
securityweek.com (1)