**Hacker Pranks Exposes Large-Scale Credential Harvesting Operation Targeting Web Applications**

A recently uncovered large-scale automated credential harvesting campaign has left organizations scrambling to secure their web applications. The operation, attributed to a threat cluster tracked as UAT-10608, leverages a sophisticated framework called NEXUS Listener to exploit vulnerable Next.js applications and exfiltrate sensitive data.

**The Operation's Methodology**

The campaign targets public-facing web applications using components, primarily Next.js, that are vulnerable to the React2Shell vulnerability (CVE-2025-55182). Once a vulnerable endpoint is identified, the automated toolkit takes over, extracting credentials harvested from the system without further manual interaction. The initial React exploit delivers a small dropper that fetches and runs the full multi-phase harvesting script.

**Data Exfiltration and Storage**

The framework leverages a meta.json file to track execution state, allowing the operator to monitor the collection process in real-time. After data is exfiltrated from a compromised system and sent back to the C2 infrastructure, it is stored in a database and made available via the NEXUS Listener web application. In some instances, the web application was left exposed, revealing sensitive information, including the inner workings of the application itself.

**Implications for Organizations**

The breadth of the victim set and the indiscriminate targeting pattern suggest that this operation is likely based on host profile data from services like Shodan or Censys. The exposure of third-party API credentials, complete PEM-encoded private keys, and cloud tokens poses a significant risk to organizations with shared key infrastructure or bastion-host architectures.

**Observations and Analysis**

Cisco Talos was able to obtain data from an unauthenticated NEXUS Listener instance, providing valuable insights into the campaign's methodology. The observed NEXUS Listener instances display "v3" in the title, indicating that the application has undergone several stages of development before reaching its current version.

**Key Findings and Recommendations**

* 78% of compromised hosts contained complete PEM-encoded private keys, enabling lateral movement to any other system that trusts the compromised host's key identity. * The campaign targeted cloud-hosted targets, yielding IAM role-associated temporary credentials that carry whatever permissions were granted to the instance role. * Containerized workloads were also targeted, attempting to read the default service account token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. * Organizations should investigate for the following artifacts on web application hosts: + SNORT ID for CVE-2025-55182: 65554 + IOCs available on our GitHub repository

**Protecting Your Organization**

To mitigate this threat, organizations must ensure that their web applications are patched and up-to-date. Regularly scanning for vulnerabilities and implementing robust security measures can help prevent automated exploitation attempts. By staying informed about emerging threats and best practices, you can better protect your organization from the ever-evolving landscape of cybersecurity risks.

**References**

* CVE-2025-55182: React2Shell vulnerability * SNORT ID 65554: IOCs for UAT-10608 threat cluster

Stay ahead of the curve with Hacker Pranks' comprehensive coverage of the latest cybersecurity threats and trends. Follow us for more in-depth analysis, expert insights, and actionable advice to help you stay safe online.