Full Report
An automated campaign attributed to threat cluster UAT-10608 is exploiting vulnerable Next.js applications to achieve pre-authentication remote code execution and deploy a multi-phase credential harvesting framework. The operation has compromised hundreds of hosts across cloud...
Analysis Summary
# Threat Actor: UAT-10608
## Attribution & Identity
- **Name/Alias:** UAT-10608
- **Identification:** An automated threat cluster characterized by large-scale, opportunistic exploitation.
- **Associations:** Associated with the "NEXUS Listener" C2 platform/framework.
## Activity Summary
UAT-10608 is currently conducting an automated campaign (documented April 2026) that leverages a critical 1-day vulnerability in React Server Components. The operation focuses on achieving pre-authentication Remote Code Execution (RCE) on Next.js applications to deploy a multi-phase credential harvesting framework. The campaign has successfully compromised hundreds of hosts across various cloud environments.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of CVE-2025-55182 ("React2Shell"), a pre-authentication RCE vulnerability (T1190).
- **Execution:**
- Unsafe deserialization of crafted serialized payloads sent to server-side endpoints.
- Deployment of staged scripts via `nohup` from the `/tmp` directory to ensure persistence during the session (T1059.004).
- **Credential Access:**
- Automated harvesting of environment variables, SSH keys, and command history (T1552.001).
- Extraction of cloud metadata (AWS/GCP/Azure) and Kubernetes service account tokens (T1552.006).
- **Exfiltration:** Data is exfiltrated to a centralized listener for indexing and analysis (T1041).
- **Automation:** Use of internet-wide scanning and fully automated exploitation sequences.
## Targeting
- **Sectors:** Cross-sector/Indiscriminate. Any organization running vulnerable Next.js/React Server Components.
- **Geography:** Global; specifically targets cloud-hosted infrastructure.
- **Victims:** Hundreds of hosts across cloud service providers; specifically targets modern web application stacks.
## Tools & Infrastructure
- **Vulnerability:** CVE-2025-55182 ("React2Shell").
- **Frameworks:** Next.js, React Server Components.
- **Malware/Scripts:** Multi-phase harvesting script staged in `/tmp`.
- **Infrastructure:**
- **NEXUS Listener:** A centralized C2 platform with a GUI used for managing stolen credentials.
- **Reference URLs (Defanged):**
- hxxps[://]blog[.]talosintelligence[.]com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/
- hxxps[://]threats[.]wiz[.]io/all-incidents/uat-10608-campaign-abuses-react2shell-for-cloud-credential-harvesting
## Implications
This actor demonstrates a high level of operational efficiency by weaponizing 1-day vulnerabilities at scale. The use of the "NEXUS Listener" suggests a professionalized approach to credential harvesting, where stolen tokens (AWS, GCP, Azure, K8s) are systematically indexed for follow-on attacks, such as lateral movement, data exfiltration, or complete cloud environment takeover.
## Mitigations
- **Patching:** Immediately update Next.js and React-based frameworks to versions that mitigate CVE-2025-55182.
- **Runtime Protection:** Monitor for suspicious processes originating from `/tmp`, specifically those executed using `nohup`.
- **Secrets Management:** Limit the exposure of sensitive credentials in environment variables; use managed identity solutions (e.g., IAM roles for tasks) instead of long-lived access keys.
- **Network Security:** Restrict access to internal metadata services (e.g., IMDSv2) to prevent automated scripts from harvesting cloud provider tokens.
- **Monitoring:** Audit server logs for unusual serialized payloads sent to React Server Component endpoints.