PHP servers, IoT devices and cloud gateways active exploitation surge
Exploitation Wave
Summary
Hide ▲
Show ▼
An active exploitation wave is driving a sharp increase in attacks against PHP servers, IoT devices, and cloud gateways. The activity uses known CVEs and cloud misconfigurations to expand access across exposed systems and increase the chance of compromise. The reporting describes automated botnet campaigns and related abuse of development and cloud exposure, including attempts to harvest credentials, API keys, and access tokens. Exposed PHP-based applications, internet-facing gateways, and weak cloud configurations are especially at risk. The wave has been linked to multiple botnet families and to attacks against WordPress and other PHP-adjacent services, as well as attempts to retrieve AWS credential material from exposed servers. Recommended defenses include prompt patching, disabling development tools like Xdebug, restricting cloud access, and using managed secret storage.
Related Happenings
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
H score34
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
**PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
Latest development: 05.06.2026 08:34
Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
PCPJack worm-like credential theft framework
Malware Activity
H score27
First: 07.05.2026 20:45
Last: 07.05.2026 20:45
Sources 1
About this happening:
The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
PCPJack worm-like credential theft framework
Malware ActivityAbout this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
H score27
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Cloud environments third-party flaw exploitation wave
Exploitation Wave
H score37
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveAbout this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
H score76
First: 12.02.2026 23:34
Last: 12.02.2026 23:34
Sources 1
About this happening:
**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
Timeline
-
29.10.2025 17:38 2 articles · 8mo ago
Automated botnet campaigns exploit exposed PHP servers, IoT devices, and cloud gateways
Initial DisclosureAutomated campaigns target exposed PHP servers, IoT devices, and cloud gateways with botnets such as Mirai, Gafgyt, and Mozi, exploiting known CVEs and cloud misconfigurations to gain control and expand botnet networks. The activity includes `/?XDEBUG_SESSION_START=phpstorm` abuse against Xdebug sessions, attempts to harvest credentials, API keys, and access tokens, and scanning that often originates from AWS, Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud.
Show sources
- Experts Reports Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices — thehackernews.com — 29.10.2025 17:38
- Experts Reports Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices — thehackernews.com — 29.10.2025 17:38
-
29.10.2025 15:00 2 articles · 8mo ago
Qualys reports active exploitation of PHP servers, IoT devices and cloud gateways
Initial DisclosureQualys Threat Research Unit (TRU) reports a sharp increase in attacks against PHP servers, IoT devices and cloud gateways, linking the activity to Mirai, Gafgyt and Mozi plus active abuse of CVE-2022-47945, CVE-2021-3129, CVE-2017-9841, CVE-2024-3721 and CVE-2022-22947. The findings also describe attacks against PHP-based applications such as WordPress, attempts to retrieve AWS credential files from exposed Linux servers, and the use of compromised routers and IoT devices for credential stuffing and password spraying, with guidance to patch promptly, disable development tools like XDebug, use managed secret stores and restrict cloud access.
Show sources
- PHP Servers and IoT Devices Face Growing Cyber-Attack Risks — www.infosecurity-magazine.com — 29.10.2025 15:00
- PHP Servers and IoT Devices Face Growing Cyber-Attack Risks — www.infosecurity-magazine.com — 29.10.2025 15:00