PHP Cryptomining Campaign: October/November 2025

Between August and October 2025, GreyNoise identified a significant increase in exploitation attempts targeting PHP applications and frameworks. This campaign is motivated by financial gain, correlating with rising Bitcoin prices increasing cryptocurrency mining profitability. Attackers leverage vulnerabilities within PHP environments to deploy cryptomining malware onto compromised systems. While no specific threat actor group or distinct malware family was explicitly named, the surge indicates a coordinated effort to hijack computing resources for illicit mining. Organizations utilizing PHP-based infrastructure should prioritize patching known vulnerabilities, monitoring outbound connections for mining pool traffic, and implementing strict access controls. Additionally, server performance degradation may occur due to high CPU usage. The severity is assessed as medium due to the resource theft nature, though widespread exploitation attempts warrant heightened vigilance to prevent unauthorized resource consumption and potential lateral movement within networks.

From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs.

Between August and October 2025, GreyNoise identified a significant increase in exploitation attempts targeting PHP applications and frameworks. This campaign is motivated by financial gain, correlating with rising Bitcoin prices increasing cryptocurrency mining profitability. Attackers leverage vulnerabilities within PHP environments to deploy cryptomining malware onto compromised systems. While no specific threat actor group or distinct malware family was explicitly named, the surge indicates a coordinated effort to hijack computing resources for illicit mining. Organizations utilizing PHP-based infrastructure should prioritize patching known vulnerabilities, monitoring outbound connections for mining pool traffic, and implementing strict access controls. Additionally, server performance degradation may occur due to high CPU usage. The severity is assessed as medium due to the resource theft nature, though widespread exploitation attempts warrant heightened vigilance to prevent unauthorized resource consumption and potential lateral movement within networks. From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs. From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs.