Broadside Mirai Botnet Hijacks Ship Cameras for DDoS

A newly discovered Mirai botnet variant named Broadside is actively compromising maritime shipping networks, exploiting a critical DVR vulnerability to gain stealthy, persistent access aboard commercial vessels. 

The attack “… attempts to harvest system credential files,” said Cydome researchers.

A New Class of Botnet Threat to Maritime OT

Broadside marks a major evolution in modern botnet tradecraft. Rather than focusing exclusively on DDoS activity, the malware incorporates credential harvesting, process manipulation, in-memory execution, and lateral movement — capabilities that directly threaten shipboard operational technology (OT). 

According to Cydome’s research, attacks began ramping up in late 2025 and are now exploiting CVE-2024-3721, a command-injection flaw in TBK DVR devices widely installed on cargo ships and logistics vessels.

Because maritime networks often rely on flat architectures and limited satellite connectivity, a botnet with persistence, stealth, and device-to-device pivoting poses risks far beyond traditional malware outbreaks. 

Compromised DVRs frequently support bridge, engine room, and cargo-hold surveillance — making them high-value entry points for attackers.

Inside the Broadside Attack Chain

The attack chain begins with a malicious HTTP POST request to the vulnerable /device.rsp endpoint of TBK DVR systems. 

This allows attackers to deploy a loader script that installs Broadside binaries compiled for multiple architectures, including ARM, MIPS, x86, and PowerPC. 

Once launched, the malware immediately deletes itself from disk and runs entirely in memory, bypassing traditional file-based detection.

Broadside introduces several advanced capabilities not seen in earlier Mirai strains, beginning with a dual-mode stealth engine designed for flexible evasion. 

In Smart Mode, the malware leverages Netlink kernel sockets to receive real-time process alerts while consuming minimal system resources. 

When kernel restrictions prevent this behavior, Panic Mode activates, aggressively scanning the /proc directory every 0.1 seconds to maintain situational awareness and ensure persistence.

Broadside also incorporates a powerful process-killing module — internally referred to as the “Judge, Jury, and Executioner” — which terminates competing malware, suspicious processes, or security tools by using in-memory allowlists and blocklists.

In addition to stealth and suppression capabilities, the malware supports credential harvesting and lateral movement. 

During initialization, it attempts to access /etc/passwd and /etc/shadow, giving attackers opportunities to escalate privileges or pivot into other shipboard systems.

Finally, Broadside employs a custom command-and-control (C2) protocol marked by a hardcoded Magic Header (0x36694201) included in every C2 packet. 

This signature helps the botnet evade standard Mirai-detection heuristics while maintaining resilient and covert communication channels.

Once established, Broadside launches high-rate UDP floods, opening sockets with randomized source ports and polymorphic payloads. 

These attacks can saturate the limited satellite bandwidth maritime vessels depend on, disrupting communications and crippling onboard monitoring systems.

Essential Defenses Against the Broadside Mirai Threat

The Broadside Mirai variant highlights how overlooked, low-visibility devices — especially maritime DVR and CCTV systems — can become high-impact entry points for attackers. 

To counter this threat, organizations must strengthen both their network architecture and device-level security across shipboard and shoreside environments. 

• Patch or replace vulnerable TBK DVR systems, especially those exposed to the internet or reachable from shipboard networks.
• Segment maritime OT networks to prevent pivoting from peripheral devices such as CCTV or DVR systems.
• Deploy network monitoring tuned for Broadside C2 indicators, including the custom magic header and anomalous UDP bursts.
• Harden embedded Linux devices with minimal service exposure, strong credentials, and read-only filesystems when possible.
• Implement anomaly detection to flag unexpected kernel socket use, rapid /proc directory polling, or memory-resident binaries.
• Audit DVR and camera infrastructure for unauthorized processes or outbound connections associated with known Broadside infrastructure.

By taking these steps, maritime operators can strengthen their cyber resilience and limit attack pathways for threats like Broadside.

The Shift From DDoS Tools to Multi-Stage Malware

The emergence of Broadside highlights a pivotal shift in the threat landscape: botnets are no longer just volumetric DDoS engines, but increasingly sophisticated, multi-stage intrusion frameworks tailored to specialized environments such as maritime operational technology. 

This evolution reflects a broader adversary trend of transforming legacy malware families into modular, adaptable ecosystems built for persistence, stealth, and operational disruption.

 As digitization accelerates across the shipping industry — and vessels depend more heavily on IP-connected OT systems — the maritime sector has become an attractive target for both cybercriminal botnet operators and nation-state actors.  

In a landscape where attacks are growing more adaptive and targeted, these trends underscore the need for using zero-trust that assumes compromise and enforces strict, continuous verification across all systems and users.