New Mirai Variant “Broadside” Targets Maritime Sector via Critical DVR Flaw
8 December 2025
Cydome researchers have identified a new Mirai-derived botnet variant — dubbed “Broadside” — actively exploiting CVE-2024-3721, a critical command-injection flaw in TBK DVR devices widely deployed across maritime fleets.
Attack chain
Broadside uses an HTTP POST request to the /device.rsp endpoint to execute remote commands, enabling:
full hijacking of the DVR system;
stealthy Netlink-based process monitoring for persistence;
lateral movement across onboard networks;
polymorphic UDP flooding to evade static defenses.
Unlike traditional Mirai strains that focus on DDoS attacks, Broadside seeks privilege escalation, credential harvesting, and long-term footholds in operational environments.
Why maritime assets are at risk
legacy, unpatched devices with minimal hardening;
little to no cybersecurity personnel aboard vessels;
expensive, bandwidth-limited satellite links → easily disrupted;
attack propagation across entire managed fleets.
Researchers confirm ongoing C2 communications over TCP/1026, with fallback channels on TCP/6969.
The campaign is active and evolving.
DIAMATIX Perspective
Broadside highlights critical lessons:
OT, IoT and IT security must be unified;
IoT devices in logistics, shipping and transportation can serve as strategic footholds;
behavioral analytics and continuous visibility are essential to detect stealthy persistence mechanisms.
Using Shield SIEM/XDR and MDR 360°, DIAMATIX strengthens security for OT/ICS and maritime operators through:
correlation across IoT/OT/IT telemetry;
detection of Netlink-driven stealth processes;
identification of anomalous ports, traffic spikes and C2 patterns;
end-to-end managed response for distributed fleets.
Sources
DarkReading
SecurityWeek
Cydome Research Blog
MITRE CVE Program
