Campaigns
UAT-10608 Campaign: Large-Scale Credential Harvesting Operation Exploiting Next.js Applications via CVE-2025-55182

UAT-10608 Campaign: Large-Scale Credential Harvesting Operation Exploiting Next.js Applications via CVE-2025-55182

credential harvestingautomated exploitationNEXUS ListenerReact2ShellCVE-2025-55182
Cisco Talos has disclosed a large-scale automated credential harvesting campaign named UAT-10608. This campaign targets web applications, primarily those using Next.js, exploiting a vulnerability known as React2Shell (CVE-2025-55182) to gain initial access. The threat actor uses a framework called NEXUS Listener to systematically exploit and exfiltrate credentials, SSH keys, cloud tokens, and environment secrets from compromised hosts. The operation has affected at least 766 hosts across various geographic regions and cloud providers.

Indicators of Compromise

No domains found for this campaign

APT Groups1

UAT-10608CN

AT-10608 is a large-scale automated credential harvesting threat cluster. The group conducts highly automated campaigns that exploit the critical React2Shell vulnerability in Next.js-based web applications to gain remote code execution and harvest credentials at massive scale.

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION REF
Detection Strategies

ID

Name

Description

Technique Detected

DET0146 ↗

Data Destruction via Mass Overwrite & Deletion

Detects mass file overwrites and deletions across Windows, Linux, macOS, AWS, ESXi, and container environments by correlating process creation, file deletion syscalls, and destructive API calls within a short time window.

• T1485 Data Destruction

DET0249 ↗

Behaviour-chain Detection for Deploy Container

Identifies unauthorized container deployments by correlating API-driven create to start to first network/process activity. Flags non-approved images, non-admin principals, or risky runtime attributes such as --privileged or host namespaces within a 5-minute window.

• T1610 Deploy Container

DET0309 ↗

Compromised Software / Update Chain

Chains installer/updater execution, file writes to program paths, first-run child processes with signature anomalies, and unexpected outbound egress across Windows, Linux, and macOS. Alerts when a newly installed binary spawns shells or beacons to non-approved hosts within 90 minutes.

• T1195.002 Compromise Software Supply Chain


Observed Countries250

AD (522)
AE (413)
AF (119)
AG (511)
AI (811)
AL (641)
AM (947)
AO (413)
AQ (552)
AR (449)
AS (908)
AT (753)
AU (600)
AW (502)
AX (958)
AZ (845)
BA (58)
BB (224)
BD (769)
BE (112)
BF (406)
BG (432)
BH (854)
BI (98)
BJ (936)
BL (747)
BM (770)
BN (420)
BO (508)
BQ (671)
BR (661)
BS (395)
BT (512)
BV (978)
BW (773)
BY (769)
BZ (39)
CA (620)
CC (233)
CD (755)
CF (463)
CG (702)
CH (171)
CI (789)
CK (293)
CL (34)
CM (435)
CN (784)
CO (214)
CR (856)
CU (826)
CV (335)
CW (177)
CX (750)
CY (389)
CZ (747)
DE (626)
DJ (384)
DK (344)
DM (839)
DO (200)
DZ (853)
EC (629)
EE (313)
EG (641)
EH (889)
ER (607)
ES (121)
ET (765)
FI (567)
FJ (857)
FK (966)
FM (317)
FO (132)
FR (228)
GA (762)
GB (180)
GD (661)
GE (694)
GF (829)
GG (200)
GH (859)
GI (147)
GL (359)
GM (137)
GN (808)
GP (583)
GQ (800)
GR (587)
GS (856)
GT (441)
GU (370)
GW (332)
GY (495)
HK (542)
HM (372)
HN (694)
HR (429)
HT (476)
HU (125)
ID (803)
IE (931)
IL (498)
IM (881)
IN (328)
IO (20)
IQ (562)
IR (527)
IS (409)
IT (622)
JE (411)
JM (196)
JO (806)
JP (112)
KE (569)
KG (113)
KH (407)
KI (40)
KM (996)
KN (904)
KP (116)
KR (16)
KW (906)
KY (106)
KZ (570)
LA (245)
LB (249)
LC (432)
LI (736)
LK (533)
LR (465)
LS (349)
LT (152)
LU (640)
LV (850)
LY (15)
MA (204)
MC (910)
MD (87)
ME (892)
MF (14)
MG (65)
MH (806)
MK (562)
ML (977)
MM (287)
MN (531)
MO (432)
MP (951)
MQ (69)
MR (679)
MS (861)
MT (973)
MU (279)
MV (516)
MW (326)
MX (927)
MY (394)
MZ (277)
NA (286)
NC (125)
NE (105)
NF (422)
NG (245)
NI (851)
NL (709)
NO (75)
NP (361)
NR (505)
NU (316)
NZ (385)
OM (537)
PA (536)
PE (602)
PF (876)
PG (607)
PH (103)
PK (178)
PL (801)
PM (992)
PN (567)
PR (601)
PS (354)
PT (366)
PW (509)
PY (824)
QA (402)
RE (302)
RO (307)
RS (799)
RU (116)
RW (288)
SA (517)
SB (426)
SC (436)
SD (251)
SE (646)
SG (49)
SH (477)
SI (284)
SJ (995)
SK (180)
SL (953)
SM (304)
SN (563)
SO (773)
SR (363)
SS (316)
ST (62)
SV (502)
SX (16)
SY (617)
SZ (186)
TC (415)
TD (855)
TF (533)
TG (414)
TH (115)
TJ (973)
TK (292)
TL (902)
TM (249)
TN (869)
TO (683)
TR (925)
TT (280)
TV (684)
TW (786)
TZ (266)
UA (340)
UG (990)
UM (236)
US (29)
UY (27)
UZ (799)
VA (528)
VC (372)
VE (321)
VG (811)
VI (605)
VN (196)
VU (1)
WF (94)
WS (662)
XK (48)
YE (813)
YT (884)
ZA (597)
ZM (592)
ZW (7)