Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PHP servers, IoT devices and cloud gateways active exploitation surge

Exploitation Wave
First reported
Last updated
Happening score
H score 48
2 unique sources, 2 articles

Summary

Hide ▲

An active exploitation wave is driving a sharp increase in attacks against PHP servers, IoT devices, and cloud gateways. The activity uses known CVEs and cloud misconfigurations to expand access across exposed systems and increase the chance of compromise. The reporting describes automated botnet campaigns and related abuse of development and cloud exposure, including attempts to harvest credentials, API keys, and access tokens. Exposed PHP-based applications, internet-facing gateways, and weak cloud configurations are especially at risk. The wave has been linked to multiple botnet families and to attacks against WordPress and other PHP-adjacent services, as well as attempts to retrieve AWS credential material from exposed servers. Recommended defenses include prompt patching, disabling development tools like Xdebug, restricting cloud access, and using managed secret storage.

Related Happenings

PCPJack worm-like credential theft framework

Malware Activity
First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Cloud environments third-party flaw exploitation wave

Exploitation Wave
First: 09.03.2026 23:45 Last: 09.03.2026 23:45 Sources 1

About this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...

Open Happening

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
First: 12.02.2026 23:34 Last: 12.02.2026 23:34 Sources 1

About this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...

Open Happening

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Open Happening

Timeline

  1. 29.10.2025 17:38 2 articles · 7mo ago

    Automated botnet campaigns exploit exposed PHP servers, IoT devices, and cloud gateways

    Initial Disclosure

    Automated campaigns target exposed PHP servers, IoT devices, and cloud gateways with botnets such as Mirai, Gafgyt, and Mozi, exploiting known CVEs and cloud misconfigurations to gain control and expand botnet networks. The activity includes `/?XDEBUG_SESSION_START=phpstorm` abuse against Xdebug sessions, attempts to harvest credentials, API keys, and access tokens, and scanning that often originates from AWS, Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud.

    Show sources
    Open in new tab
  2. 29.10.2025 15:00 2 articles · 7mo ago

    Qualys reports active exploitation of PHP servers, IoT devices and cloud gateways

    Initial Disclosure

    Qualys Threat Research Unit (TRU) reports a sharp increase in attacks against PHP servers, IoT devices and cloud gateways, linking the activity to Mirai, Gafgyt and Mozi plus active abuse of CVE-2022-47945, CVE-2021-3129, CVE-2017-9841, CVE-2024-3721 and CVE-2022-22947. The findings also describe attacks against PHP-based applications such as WordPress, attempts to retrieve AWS credential files from exposed Linux servers, and the use of compromised routers and IoT devices for credential stuffing and password spraying, with guidance to patch promptly, disable development tools like XDebug, use managed secret stores and restrict cloud access.

    Show sources
    Open in new tab