Full Report
This week, Martin tells the story of a crime he encountered and how it shows that the threat landscape is changing.
Analysis Summary
Based on the provided article, there are two primary subjects: the evolution of Business Email Compromise (BEC) and a specific automated campaign utilizing the "NEXUS Listener" framework.
# Tool/Technique: NEXUS Listener / React2Shell Exploitation
## Overview
NEXUS Listener is a custom attack framework designed for high-speed, large-scale automated credential harvesting. It facilitates the exploitation of a remote code execution (RCE) vulnerability in Next.js applications known as **React2Shell** (CVE-2025-55182). The tool allows threat actors to "democratize" high-end attacks by automating the extraction and aggregation of sensitive data from hundreds of compromised hosts simultaneously.
## Technical Details
- **Type**: Attack Framework / Credential Harvester
- **Platform**: Web Applications (Specifically Next.js frameworks); Cloud Environments (AWS, etc.)
- **Capabilities**: Automated RCE exploitation, credential extraction (cloud tokens, SSH keys, database credentials), and centralized data aggregation.
- **First Seen**: Reported April 2, 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (CVE-2025-55182)
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1528 - Steal Application Access Token
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Infrastructure mapping)
- **TA0010 - Exfiltration**
- T1020 - Automated Exfiltration
## Functionality
### Core Capabilities
- **Automated Exploitation**: Rapidly scans and exploits the React2Shell vulnerability in Next.js applications.
- **Credential Harvesting**: Automatically searches for and extracts high-value secrets including cloud tokens, database credentials, and SSH keys.
- **Centralized Aggregation**: Collects stolen data from multiple victims into a single interface for the attacker.
### Advanced Features
- **Infrastructure Mapping**: Uses harvested data to map out an organization’s internal infrastructure for follow-on attacks.
- **Scalability**: Designed to handle hundreds of compromised hosts at once, significantly lowering the "cost per attack."
## Indicators of Compromise
- **File Hashes (SHA256)**:
- `9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507`
- `90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59`
- `38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55`
- `5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe`
- `e303ac1a9b378382830fc6a0b5a9574eca415d14d9282e2b4aced725db9cfbc5`
- **File Names**: `APQ9305.dll`, `content.js`
- **Behavioral Indicators**: Rapid unauthenticated requests to Next.js endpoints; automated extraction of `.ssh` or cloud config directories.
## Associated Threat Actors
- Unknown (Campaign identified as "large-scale and automated").
## Detection Methods
- **Behavioral Detection**: Implement RASP (Runtime Application Self-Protection) to monitor for unauthorized execution within Next.js environments.
- **Network Detection**: Deploy WAF (Web Application Firewall) rules specifically tuned to detect payloads targeting CVE-2025-55182.
- **Signature-based**: Detection of the "NEXUS Listener" framework components and associated injector/miner signatures (e.g., `W32.Injector:Gen`, `Win.Worm.Coinminer`).
## Mitigation Strategies
- **Patch Management**: Immediately audit and update Next.js applications to remediate CVE-2025-55182.
- **Credential Hygiene**: Rotate all API keys, SSH keys, and database passwords if a compromise is suspected.
- **Hardening**: Enforce **IMDSv2** on AWS instances to prevent unauthorized metadata and token access.
## Related Tools/Techniques
- **AI-Enhanced BEC**: Mentioned as a parallel trend where AI is used to automate and personalize social engineering at scale.
- **Money Mules**: Used in the backend of the BEC variants described to obscure the trail of stolen funds.