Full Report
Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.”
Analysis Summary
# Threat Actor: UAT-10608
## Attribution & Identity
- **Name/Alias:** UAT-10608.
- **Identification:** A threat cluster identified by Cisco Talos characterized by the use of large-scale, automated exploitation and a specialized exfiltration framework.
- **Associated Tools:** "NEXUS Listener" (collection framework/C2 GUI).
## Activity Summary
UAT-10608 is conducting a high-volume credential harvesting campaign (identified in April 2026) targeting web applications. The actor uses automated scanning to find vulnerable servers, exploits them to gain initial access, and deploys a multi-phase script designed to systematically drain the host of all sensitive credentials (SSH keys, cloud tokens, database logins). As of the disclosure, at least 766 hosts have been compromised.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of **CVE-2025-55182** (known as **"React2Shell"**), a pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components (RSC) affecting frameworks like Next.js.
- **Payload Delivery:** Staged delivery model using a small dropper that fetches a full multi-phase harvesting shell script.
- **Execution:** Uses `nohup` to run shell scripts from `/tmp` with randomized, dot-prefixed filenames (e.g., `/tmp/.eba9ee1e4.sh`).
- **Data Collection Phases:**
- **environ/proc_all:** Dumps process environment variables.
- **ssh:** Harvests private keys and authorized_keys.
- **tokens:** Regex pattern-matching for specific credential strings.
- **cloud_meta:** Queries AWS/GCP/Azure metadata APIs for IAM roles/tokens.
- **k8s/docker:** Extracts Kubernetes service account tokens and container configs.
- **Exfiltration:** Automated posting of harvested data to a centralized C2.
- **MITRE ATT&CK IDs:**
- T1190 (Exploit Public-Facing Application)
- T1552.001 (Credentials in Files: Private Keys)
- T1552.004 (Credentials in Files: Private Keys)
- T1555 (Credentials from Password Stores)
- T1083 (File and Directory Discovery)
- T1552.007 (Iterative Scanning/Pattern Matching for Tokens)
## Targeting
- **Sectors:** Indiscriminate; any industry utilizing vulnerable Next.js/React applications.
- **Geography:** Global; multiple geographic regions and various cloud providers (AWS, Azure, GCP).
- **Victims:** 766+ compromised hosts. Specific victims include entities using Stripe (11.4% of victims), GitHub (8.6%), and AWS (25.6%).
## Tools & Infrastructure
- **NEXUS Listener:** A C2 framework featuring a web-based GUI that provides automated analytics, statistics on stolen data, and search capabilities for the operator.
- **Malware:** Custom multi-phase automated harvesting shell scripts.
- **Infrastructure:**
- 144[.]172[.]102[.]88
- 172[.]86[.]127[.]128
- 144[.]172[.]112[.]136
- 144[.]172[.]117[.]112
## Implications
The campaign represents a shift toward "industrial-scale" credential harvesting. By automating the exploitation of a popular web framework (Next.js), UAT-10608 can rapidly pivot from web server compromise to full cloud environment takeover using stolen IAM tokens and SSH keys. The exposure of database credentials and Stripe keys also triggers significant regulatory and financial risks (GDPR, CCPA, PCI DSS).
## Mitigations
- **Patching:** Immediately update Next.js and React components to remediate **CVE-2025-55182**.
- **Configuration:** Audit `getServerSideProps` and `getStaticProps` to ensure server-side secrets are not leaked to the client.
- **Credential Hygiene:** Rotate all SSH keys, cloud tokens (AWS/GCP), and API keys (Stripe, GitHub) if a compromise is suspected.
- **Cloud Security:** Enforce **IMDSv2** on AWS instances to prevent unauthenticated metadata service abuse.
- **Monitoring:** Scan for unexpected processes originating from `/tmp/` or outbound HTTP connections from application containers to unknown IPs.
- **Secret Management:** Use native secret scanning (GitHub, AWS) to detect exposed credentials.