Large-Scale Credential Harvesting Campaign by UAT-10608 Revealed
Cisco Talos has identified a significant automated credential harvesting campaign executed by the threat actor cluster labeled UAT-10608. This operation has compromised over 766 hosts by leveraging vulnerabilities in Next.js applications, particularly exploiting the React2Shell (CVE-2025-55182) vulnerability to gain initial access.
The campaign employs automated scripts for the systematic extraction and exfiltration of credentials, including SSH keys, cloud tokens, and environment secrets. The data harvested is sent to a command and control server, which features a web-based GUI called NEXUS Listener. This interface allows attackers to monitor stolen information and analyze comprehensive statistics about compromised hosts, enhancing the operational effectiveness of the threat actor.
One major technique used involves sending crafted payloads to vulnerable Server Function endpoints in Next.js applications. This attack does not require authentication, making it particularly insidious, as an attacker can execute arbitrary code on the server-side Node.js process. The full extent of the operation is illustrated in a detailed flow of interaction between compromised hosts and the NEXUS Listener, which has been visualized in the report.
Defensive Context
Organizations that host public-facing applications using Next.js should be particularly concerned about this campaign. The exploitation of the React2Shell vulnerability can have devastating effects, including credential compromise and potential takeover of critical services.
Organizations that utilize specific cloud services or rely on SSH for access may be at heightened risk, especially if there are overlaps in credential usage. On the other hand, entities that do not utilize Next.js or that have robust security measures in place may not currently need to prioritize immediate action against this particular threat.
Why This Matters
The implications for organizations exposed to this threat range from immediate financial risks, such as fraud through compromised payment processing keys, to broader compliance issues tied to data privacy laws if personally identifiable information is accessed. The widespread nature of the campaign suggests that many organizations may be unwittingly vulnerable, particularly those with neglected or improperly configured security measures.
Defender Considerations
Defenders should focus on auditing their Next.js applications for vulnerabilities related to the React2Shell exploit. Immediate action should be taken to rotate any credentials that may overlap with those identified as potentially compromised from the harvesting campaign. Organizations could benefit from monitoring outbound HTTP traffic for indications of unauthorized data exfiltration—a critical sign of an active compromise.
Indicators of Compromise (IOCs)
The following IOCs have been noted:
- IP Addresses:
- 144.172.102.88
- 172.86.127.128
- 144.172.112.136
- 144.172.117.112
Organizations are advised to investigate any unusual processes, unexpected outgoing connections, or authenticated access to potentially exposed endpoints.
