Botnet Surge: Mirai, Gafgyt and Mozi Ramp Up Attacks Against PHP, IoT and Cloud Gateways

By Azhar Khan
Botnet Surge: Mirai, Gafgyt and Mozi Ramp Up Attacks Against PHP, IoT and Cloud Gateways

Date: October 30, 2025

Summary: Security researchers have observed a rapid surge in automated botnet activity over the last 24 hours, with long-standing IoT botnets — Mirai, Gafgyt and Mozi — aggressively scanning for and exploiting vulnerable PHP servers, Internet-of-Things devices and misconfigured cloud gateways. The campaigns combine opportunistic mass scanning with targeted follow-ups, enabling attackers to expand bot armies for DDoS, credential theft and further intrusion.

What’s happening

Multiple telemetry sources show coordinated waves of probes and exploitation attempts hitting three primary classes of targets:

  • Public-facing PHP web applications and CMS instances (WordPress, Craft, Laravel/ThinkPHP endpoints) with unpatched RCE and file-upload flaws;
  • Consumer and edge IoT devices (routers, DVRs, webcams) with default credentials, exposed telnet/SSH or vulnerable web interfaces;
  • Cloud gateway and API endpoints that are misconfigured (open management interfaces, weak credentials, or permissive S3/Blob buckets) and can be vaulted into multi-tenant environments.

Attackers mix old, reliable Mirai-style credential stuffing for IoT logins with more modern, opportunistic exploitation of known PHP CVEs and cloud misconfigurations to bootstrap initial access and then propagate payloads such as Mozi-style P2P implants and Gafgyt DDoS modules.

Observed tactics, techniques and procedures (TTPs)

Observed TTPs include:

  • Mass automated scanning for exposed PHP endpoints and common CMS paths (e.g., /wp-admin, /vendor/phpunit, /public/index.php). Attackers attempt known RCE and file-upload CVEs in rapid succession.
  • Credential brute-force against telnet/ssh and web admin interfaces using large username/password dictionaries derived from prior leaks.
  • Command injection and downloader chains that fetch compact IoT binaries (MIPS/ARM) and install bot binaries persistently in device storage or RAM-resident variants to survive simple reboots.
  • Use of cloud platforms and transient hosting providers for command-and-control (C2) to hide infrastructure and use fast-flux DNS patterns that complicate takedown.

Scale and impact

Security teams report tens of thousands of exploit attempts per hour against known vulnerable endpoints during the surge window. The objective appears two-fold: enlarge botnets rapidly (for future DDoS capacity and proxying) and identify high-value targets for follow-on operations such as data theft, crypto-mining, or supply-chain pivoting. Given the vast installed base of unpatched PHP applications and poorly managed IoT devices, the potential reach is global and immediate.

Why PHP servers, IoT and cloud gateways are attractive

PHP remains widely used and frequently misconfigured or unpatched in small to medium web deployments; common frameworks and plugins still host well-known CVEs that are easy to automate. IoT devices often ship with default credentials or have exposed management ports; many are resource-constrained and cannot run modern EDR agents. Cloud gateways, when misconfigured (e.g., overly permissive IAM/S3/Blob settings, exposed management APIs), provide a fast path to expand reach into tenant workloads or to stage payloads. Together, these weaknesses provide an inexpensive, high-yield recruitment funnel for botnet operators.

Indicators of Compromise (IoCs) and behaviours to hunt for

Defenders should look for:

  • Large volumes of failed POST/GET requests to PHP endpoints, unusual user-agent strings used by scanning tools, or rapid repetition of the same exploit payload across multiple endpoints.
  • Unusual telnet/SSH login attempts using common default credentials or rapid username/password failures followed by a successful login from the same source.
  • New or modified binaries on IoT devices (MIPS/ARM ELF files), unexpected startup scripts, or files written to /tmp, /var/run or firmware partitions.
  • Outbound connections from edge devices or gateway hosts to suspicious cloud hosts or low-reputation IPs, especially on non-standard ports, and sudden increases in outbound DNS activity (fast-flux patterns).
  • Unusual spikes in network traffic consistent with DDoS scaffolding, or devices acting as proxies for outbound scanning activity.

Immediate mitigations for organisations and hosting providers

Short-term actions to reduce risk:

  • Patch and harden public PHP applications: apply vendor patches for known CVEs, remove unused plugins/modules, and block dangerous file-upload routes via a Web Application Firewall (WAF).
  • Harden IoT devices: change default credentials, disable telnet, enable SSH key-based auth where supported, restrict management interfaces to internal networks, and update firmware where possible.
  • Lock down cloud gateways and management APIs: enforce least privilege IAM roles, restrict console/API access via allow-listed IPs or private endpoints, and audit storage permissions (S3/Blob) for public exposure.
  • Deploy network-level controls: segment IoT networks from corporate resources, apply egress filtering to prevent devices from reaching arbitrary internet hosts, and rate-limit unknown outbound traffic to detect beaconing.
  • Enable anomaly detection: watch for sudden bursts of scanning traffic, repeated failed logins, and unusual process creation on servers and gateways.

Actionable guidance for small organisations and consumers

  • Change default passwords on routers, DVRs, cameras and other IoT devices; if a device is no longer getting firmware updates, consider replacing it.
  • Disable unused services (telnet, FTP, UPnP) and place devices behind a consumer firewall or network segmentation (guest Wi-Fi for IoT).
  • Keep web apps and CMS plugins updated; remove legacy or unmaintained extensions and use reputable hosting that enforces baseline security controls.
  • Monitor usage bills and home network bandwidth for unexplained spikes that could indicate device enlistment into a botnet.

Longer-term defensive measures

To reduce systemic risk, the industry should accelerate device-security standards, require secure default configurations from vendors, and improve telemetry for edge devices. Hosting providers and cloud platforms must expose clearer guardrails and defaults to prevent misconfiguration. Organisations should adopt an assume-compromise posture for edge systems, implement robust segmentation, and regularly exercise incident response plans that include IoT and cloud gateway scenarios.

Outlook

The current surge is a reminder that botnet operators recycle proven toolchains (Mirai, Gafgyt, Mozi) while rapidly integrating new exploit signatures and cloud-centric pivot techniques. Expect continued automated scanning for months: even when vendors patch CVEs, the large population of unpatched devices and web apps will fuel a persistent recruitment pipeline. Rapid patching, aggressive segmentation and improved IoT hygiene are the practical ways to blunt the recruitment and attack capacity of these botnets.

Resources & reporting

If you observe suspicious activity consistent with the described campaigns, collect logs, preserve device images where possible, and report incidents to your national CERT/CSIRT and hosting provider so that C2 infrastructure can be traced and blocked. Shared indicators help block attacker infrastructure and reduce the botnet’s effectiveness.

Takeaway: The surge in Mirai, Gafgyt and Mozi activity is a significant operational threat for both enterprise and consumer environments. Protect public PHP endpoints, lock down IoT devices, and harden cloud gateways now — the cost of inaction is continued botnet growth and amplified attack capability for threat actors worldwide.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.