SOC Incident Toolkit
Back to Campaigns
UAT-10608 Campaign: Large-Scale Credential Harvesting Operation Exploiting Next.js Applications via CVE-2025-55182

UAT-10608 Campaign: Large-Scale Credential Harvesting Operation Exploiting Next.js Applications via CVE-2025-55182

credential harvestingautomated exploitationNEXUS ListenerReact2ShellCVE-2025-55182

Cisco Talos has disclosed a large-scale automated credential harvesting campaign named UAT-10608. This campaign targets web applications, primarily those using Next.js, exploiting a vulnerability known as React2Shell (CVE-2025-55182) to gain initial access. The threat actor uses a framework called NEXUS Listener to systematically exploit and exfiltrate credentials, SSH keys, cloud tokens, and environment secrets from compromised hosts. The operation has affected at least 766 hosts across various geographic regions and cloud providers.

Indicators of Compromise

IPv4 (4)

144.172.102.88172.86.127.128144.172.112.136144.172.117.112

APT Groups

UAT-10608

CN

Notes

<span id="docs-internal-guid-2ad35cbd-7fff-4cd9-2be6-46b14fdd0ac8"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION<br></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor behind UAT-10608 demonstrates strategic adaptability by leveraging automated tools and exploiting specific vulnerabilities to maximize their impact. This adaptability allows them to target a wide range of web applications, resulting in the compromise of numerous hosts across different regions. The campaign's impact is significant, particularly for organizations using Next.js applications, as it leads to the exposure of sensitive credentials and potential unauthorized access to cloud services. To mitigate such threats, organizations should utilize <a href="https://socradar.io/labs/app/ioc-radar">SOCRadar IOC Radar</a> for investigating indicators, <a href="https://socradar.io/products/dark-web-monitoring/">SOCRadar Dark Web Monitoring</a> for detecting credential leaks, <a href="https://socradar.io/products/cyber-threat-intelligence/">SOCRadar Cyber Threat Intelligence </a>for tracking threat actor TTPs, <a href="https://socradar.io/suites/digital-risk-protection/brand-protection/">SOCRadar Brand Protection</a> for identifying phishing domains, and <a href="https://socradar.io/products/attack-surface-management/">SOCRadar Attack Surface Management</a> for maintaining visibility over exposed assets. These measures can help organizations better protect themselves against similar threats in the future.</span></div><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>

Mitigation

<span id="docs-internal-guid-d3d2b754-7fff-337f-1cc0-f312bd1e645d"><div style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION </span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://attack.mitre.org/">REF</a></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><a href="https://">&nbsp;</a><a href="https://attack.mitre.org/">&nbsp;&nbsp;</a></span></div><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;background-color:#deeaf8;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(12, 68, 124); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></th><th style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;background-color:#deeaf8;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(12, 68, 124); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Name</span></p></th><th style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;background-color:#deeaf8;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(12, 68, 124); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></th><th style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;background-color:#deeaf8;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(12, 68, 124); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Techniques Addressed</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(24, 95, 165); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><a href="https://attack.mitre.org/mitigations/M1047/">M1047 ↗</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(44, 44, 42); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(44, 44, 42); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regularly record and analyze system configurations, user behaviors, and access permissions to detect anomalies and enforce security policies across systems, services, and cloud resources.</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1552 Unsecured Credentials</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1530 Data from Cloud Storage</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1562 Impair Defenses</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(24, 95, 165); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><a href="https://attack.mitre.org/mitigations/M1035/">M1035 ↗</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(44, 44, 42); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit Access to Resource Over Network</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(44, 44, 42); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict access to network resources, APIs, and container services to only authorized users and accounts. Enforce ZTNA, VPN, firewalls, and network segmentation to reduce the attack surface.</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1190 Exploit Public-Facing App</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1552 Unsecured Credentials</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1610 Deploy Container</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:middle;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(24, 95, 165); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><a href="https://attack.mitre.org/mitigations/M1053/">M1053 ↗</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(44, 44, 42); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Data Backup</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(44, 44, 42); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Take and securely store regular backups of critical data using immutable, offsite storage isolated from the production network to ensure recovery in the event of ransomware or data destruction.</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1485 Data Destruction</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1486 Data Encrypted for Impact</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">• T1490 Inhibit System Recovery</span></p></td></tr></tbody></table></div></span>