CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Timeline

  1. 29.10.2025 15:00 2 articles · 12d ago

    Botnets Exploit Known Vulnerabilities and Cloud Misconfigurations

    The article confirms the ongoing exploitation of PHP servers, IoT devices, and cloud gateways by botnets such as Mirai, Gafgyt, and Mozi. It highlights the use of known vulnerabilities and cloud misconfigurations to expand botnet networks. The article also details the exploitation of Xdebug debugging sessions and the use of cloud infrastructures to obscure the origins of scanning activity. Additionally, it notes the evolving role of botnets in credential stuffing, password spraying, and other illicit activities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

Technology Sector Surpasses Gaming as Top DDoS Attack Target in Q1–Q2 2025

The Gcore Radar report for Q1–Q2 2025 reveals a 41% year-on-year increase in DDoS attack volume, with the technology sector now the most targeted, surpassing gaming. The largest recorded attack peaked at 2.2 Tbps, demonstrating growing scale and sophistication in DDoS campaigns. Attacks are longer, multi-layered, and increasingly target web applications and APIs. The financial services industry remains a significant target, facing heightened risks. The report highlights the rising complexity and impact of DDoS attacks, driven by accessible attack tools, vulnerable IoT devices, geopolitical tensions, and advanced attack techniques. The shift in targeted industries and the increasing use of multi-vector and application-layer attacks underscore the need for robust, proactive defenses.

Open in new tab

Massive 1.5 Bpps DDoS attack targets European DDoS mitigation provider

A European DDoS mitigation service provider was targeted in a large-scale distributed denial-of-service (DDoS) attack reaching 1.5 billion packets per second (Bpps). The attack originated from thousands of compromised IoT devices and MikroTik routers, affecting over 11,000 unique networks worldwide. FastNetMon, the DDoS mitigation service, successfully detected and mitigated the attack in real-time. The attack underscores the growing threat of large-scale DDoS attacks and the need for proactive measures at the ISP level to prevent such incidents. The attack aimed to exhaust the target's processing capabilities, causing potential service outages.

Open in new tab

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs

Cloudflare has mitigated a new record-breaking DDoS attack peaking at 22.2 Tbps and 10.6 Bpps, which lasted 40 seconds. This attack is part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. The Aisuru botnet, responsible for these attacks, has been drawing a majority of its firepower from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the Aisuru botnet, which has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). The Aisuru botnet has spread to at least 700,000 IoT systems, including poorly secured Internet routers and security cameras. The botnet's operators have demonstrated DDoS capabilities of nearly 30 Tbps, exceeding the mitigation capabilities of most Internet destinations. The botnet has caused significant operational impact on U.S.-based ISPs, with outbound DDoS attacks exceeding 1.5 Tbps. The botnet's operators recently updated their malware to rent out compromised devices as residential proxies, facilitating cybercriminal activities. The botnet's operators are actively involved in the proxy network industry, enabling aggressive content scraping for AI projects. In the latest development, Aisuru botnet domains have repeatedly appeared in Cloudflare's top domains list, displacing legitimate sites like Amazon, Apple, Google, and Microsoft. Cloudflare redacted these domains from their top domains list to address security and brand confusion concerns. The botnet's domains were using Cloudflare's DNS server 1.1.1.1, shifting from Google's 8.8.8.8. Cloudflare's domain ranking system is based on DNS query volume, not actual web visits. Cloudflare CEO Matthew Prince confirmed that the botnet was generating excessive DNS requests to influence rankings and attack Cloudflare's DNS service. Cloudflare plans to improve its ranking algorithm to better distinguish between legitimate and malicious traffic. The botnet's domains were predominantly registered in the .su top-level domain, frequently abused for cybercrime.

Open in new tab

Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Open in new tab