An automated campaign attributed to threat cluster UAT-10608 is exploiting vulnerable Next.js applications to achieve pre-authentication remote code execution and deploy a multi-phase credential harvesting framework. The operation has compromised hundreds of hosts across cloud environments, enabling widespread extraction of sensitive credentials, including cloud tokens, SSH keys, and API secrets.
The campaign leverages CVE-2025-55182 (“React2Shell”), a pre-authentication RCE vulnerability in React Server Components used by frameworks such as Next.js. Attackers send crafted serialized payloads to exposed server-side endpoints, triggering unsafe deserialization and arbitrary code execution within the Node.js process. Once a vulnerable endpoint is identified, exploitation is fully automated, requiring no further manual interaction.
Post-compromise, a staged payload deploys a multi-phase harvesting script executed via nohup from /tmp. The script systematically extracts sensitive data, including environment variables, SSH keys, cloud metadata (AWS/GCP/Azure), Kubernetes service account tokens, and command history. Exfiltrated data is sent to a centralized C2 platform (“NEXUS Listener”), which provides a GUI for indexing, analyzing, and operationalizing stolen credentials at scale. The campaign demonstrates broad, indiscriminate targeting consistent with internet-wide scanning.