Cybersecurity researchers are sounding a loud alarm: a massive, automated attack wave is crashing against the internet. Experts are reporting a major spike in scanning and exploitation attempts from powerful “botnets,” which are vast armies of hijacked computers, smart devices, and servers.

According to a new report from the Qualys Threat Research Unit (TRU) shared with The Hacker News, these robot networks are actively hunting for vulnerable targets, including PHP web servers, cloud infrastructure, and common Internet of Things (IoT) gadgets. Well-known botnets like Mirai, Gafgyt, and Mozi are driving this offensive.

“These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations,” the researchers said. Their goal is simple: to gain control over any exposed system and expand their botnet armies.

PHP Servers and IoT Devices in the Crosshairs

The primary target in this new wave of attacks appears to be servers running PHP. This is a massive attack surface, as PHP is the technology that powers a huge portion of the web, including popular content management systems like WordPress and Craft CMS.

Attackers are finding success because so many of these PHP-based websites are easy targets. They often suffer from simple setup mistakes, outdated plugins and themes full of security holes, or insecure file storage settings. The botnets are systematically scanning for a checklist of well-known, high-impact bugs. This includes old, patchable vulnerabilities in common frameworks like PHPUnit, Laravel, and ThinkPHP, which, if exploited, allow an attacker to take over the server completely.

In a particularly crafty move, attackers are also searching for a developer tool called Xdebug. This tool is meant to help programmers find and fix bugs in their code. However, if it’s accidentally left enabled on a live, public-facing website, it acts as a wide-open back door. Attackers can connect to these exposed debug sessions to spy on the application’s internal behavior and even steal sensitive data.

Of course, the botnets are also trying the simplest approach: looking for stolen keys. They are relentlessly scanning the web for credentials, API keys, and access tokens left exposed on servers. At the same time, they are hammering IoT devices, using known security flaws in products like TBK and MVPower DVRs (digital video recorders) to rope them into the botnet.

Hiding in the Cloud

To make these attacks difficult to block, the criminals are laundering their traffic through legitimate, trusted sources. The Qualys report confirmed that much of the scanning activity originates from inside major cloud provider networks.

This includes household names like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Digital Ocean. By launching their attacks from servers inside these trusted services, the attackers can disguise their true origins. This tactic makes it much harder for security systems to distinguish malicious traffic from legitimate activity.

What is perhaps most concerning is that these powerful attacks no longer require a criminal mastermind. The researchers noted that “today’s threat actors don’t need to be highly sophisticated to be effective.” Thanks to the wide availability of pre-packaged exploit kits, botnet frameworks, and scanning tools, even entry-level attackers can now cause significant damage.

The New Role of Botnets: Identity Theft and Evasion

This surge in activity highlights a dangerous new trend. Botnets are evolving far beyond their original purpose of simple denial-of-service (DDoS) attacks.

“While botnets have previously been associated with large-scale DDoS attacks and occasional crypto mining scams, in the age of identity security threats, we see them taking on a new role in the threat ecosystem,” explained James Maude, Field CTO at BeyondTrust.

Today, these massive networks of hijacked devices are being used for complex identity-based attacks. Criminals use them to conduct “credential stuffing” and password spraying attacks on an enormous scale.

Maude explained how this gives attackers a critical advantage: they can easily bypass security controls. For instance, if a criminal steals your password, your bank or email provider might block the login attempt if it comes from a suspicious IP address in another country.

But with a massive, global botnet, the attacker can “rent” a hacked node that is geographically close to you. They can even use a hacked router from the very same ISP you use. This makes the fraudulent login look completely legitimate, defeating many common security checks.

The “DDoS-for-Hire” That Doubles as a Criminal VPN

This evolution is perfectly illustrated by a new class of malware dubbed AISURU, recently analyzed by NETSCOUT. This botnet, which they call a “TurboMirai,” is a “DDoS-for-hire” service that can launch attacks powerful enough to take down major infrastructure.

But it has a secondary, more sinister purpose.

AISURU, which is built from compromised consumer-grade routers, CCTV cameras, and other smart devices, also functions as a residential proxy service. The botnet controllers sell access to this network to other criminals.

These customers can then route their own malicious traffic—be it phishing, spamming, or AI-driven web scraping—through one of the hijacked devices. This makes the criminal’s activity appear to be coming from a legitimate, residential home address, providing anonymity and making it incredibly difficult to trace. According to data cited by security journalist Brian Krebs, this underground market for proxy services has seen exponential growth in recent months.

To protect against this multi-faceted threat, experts are urging organizations to stick to the fundamentals: keep all devices and software patched and up-to-date, remove all development and debug tools from live production environments, and securely store all “secrets” like API keys using dedicated tools like HashiCorp Vault.