
UAT-10608 Campaign: Large-Scale Credential Harvesting Operation Exploiting Next.js Applications via CVE-2025-55182
Indicators of Compromise
No domains found for this campaign
APT Groups1
AT-10608 is a large-scale automated credential harvesting threat cluster. The group conducts highly automated campaigns that exploit the critical React2Shell vulnerability in Next.js-based web applications to gain remote code execution and harvest credentials at massive scale.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Detection Strategies
ID | Name | Description | Technique Detected |
|---|---|---|---|
Data Destruction via Mass Overwrite & Deletion | Detects mass file overwrites and deletions across Windows, Linux, macOS, AWS, ESXi, and container environments by correlating process creation, file deletion syscalls, and destructive API calls within a short time window. | • T1485 Data Destruction | |
Behaviour-chain Detection for Deploy Container | Identifies unauthorized container deployments by correlating API-driven create to start to first network/process activity. Flags non-approved images, non-admin principals, or risky runtime attributes such as --privileged or host namespaces within a 5-minute window. | • T1610 Deploy Container | |
Compromised Software / Update Chain | Chains installer/updater execution, file writes to program paths, first-run child processes with signature anomalies, and unexpected outbound egress across Windows, Linux, and macOS. Alerts when a newly installed binary spawns shells or beacons to non-approved hosts within 90 minutes. | • T1195.002 Compromise Software Supply Chain |