PacketCrypt Classic Cryptocurrency Miner on PHP Servers
Essential information
- Published
- 07/01/2025 14:23
- Modified
- 07/01/2025 16:36
- Tags
- 2025-01-07 CVE-2024-4577 cryptomining packetcrypt php stake-to-earn
- Related entities
- 6 observables, 9 techniques (mitre)
Description
A cryptocurrency mining campaign targeting vulnerable PHP servers has been identified. The attack exploits misconfigured or unpatched servers, allowing unauthorized access to php-cgi.exe. The malware, initially delivered as dr0p.exe, downloads a secondary payload pkt1.exe, which then spawns packetcrypt.exe to mine PacketCrypt Classic (PKTC) cryptocurrency. The mined coins are sent to a specific wallet address. The attack chain involves multiple stages and uses various techniques to ensure successful execution. Server administrators are advised to patch and audit their web servers to prevent such attacks and mitigate potential performance issues caused by unauthorized crypto mining activities.