""Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2).""
""The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.""
""The campaign is assessed to be targeting Next.js applications that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution.""
A credential harvesting operation has been identified exploiting the React2Shell vulnerability to steal sensitive information such as database credentials, SSH keys, and API tokens. Cisco Talos attributes this activity to the UAT-10608 threat cluster, with at least 766 compromised hosts across various regions. The operation uses automated scripts to extract credentials and sends them to a command-and-control server featuring a GUI called 'NEXUS Listener' for data analysis. The campaign targets Next.js applications vulnerable to a critical flaw, enabling remote code execution and deploying a multi-phase harvesting script.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]