**H1:** Exposed: Inside a Large-Scale Automated Credential Harvesting Operation Targeting Web Applications
In recent months, a large-scale automated credential harvesting campaign has been making headlines in the cybersecurity community. Threat cluster UAT-10608, which is responsible for this operation, has compromised at least 766 hosts across multiple geographic regions and cloud providers. The campaign leverages a collection framework dubbed "NEXUS Listener" to target vulnerable Next.js applications using the React2Shell (CVE-2025-55182) vulnerability. This post delves into the methodology, tools, breadth, and sensitivity of the exposed data collected by this operation.
**The Campaign's Methodology**
UAT-10608 primarily targets public-facing web applications using components such as Next.js that are vulnerable to CVE-2025-55182, a pre-authentication remote code execution (RCE) vulnerability in React Server Components (RSC). Once the threat actor identifies a vulnerable endpoint, the automated toolkit takes over, making no further manual interaction required to extract and exfiltrate credentials harvested from the system. The campaign leverages a meta.json file that tracks execution state, ensuring seamless collection of various data from compromised systems.
**NEXUS Listener: A Multi-Phase Credential Harvesting Tool**
The framework employed by UAT-10608 is designed to collect multiple types of sensitive information, including credentials, SSH keys, cloud tokens, and environment secrets. Upon completion of each phase, an HTTP request is made back to the C2 server running the NEXUS Listener component. This data is then stored in a database and made available via a web application called NEXUS Listener. In some instances, the web application was left exposed, revealing sensitive information and the inner workings of the application itself.
**Exposed Data**
An analysis of the compromised hosts reveals a wealth of sensitive information, including:
* **Credentials**: Runtime environment variables exposing third-party API credentials * **SSH keys**: Complete PEM-encoded private keys (both ED25519 and RSA formats) along with authorized_keys entries * **Cloud tokens**: IAM role-associated temporary credentials that carry whatever permissions were granted to the instance role * **Containerized workloads**: Compromised Kubernetes tokens allowing attackers to enumerate cluster resources, read secrets from other namespaces, or escalate to cluster-admin
**Implications for Organizations**
The breadth of the victim set and the indiscriminate targeting pattern are consistent with automated scanning. As a result, organizations should be vigilant in investigating for potential vulnerabilities and artifacts associated with this threat. SNORT ID for CVE-2025-55182 is 65554. IOCs for this threat are available on our GitHub repository.
In conclusion, UAT-10608's large-scale automated credential harvesting campaign highlights the importance of proactive security measures and vigilance in today's cyber landscape. Organizations must stay informed about emerging threats and vulnerabilities to protect themselves from sophisticated attacks like this one.