Mass Exploitation of React2Shell: Inside the UAT-10608 Credential Harvesting Campaign

Cisco Talos has identified a large-scale, automated credential harvesting operation conducted by a threat cluster tracked as UAT-10608. The campaign systematically exploits a pre-authentication remote code execution (RCE) vulnerability in React Server Components (RSC), primarily targeting Next.js applications. Using a custom framework dubbed “NEXUS Listener,” the actors have compromised at least 766 hosts across various geographic regions and cloud providers to exfiltrate highly sensitive secrets.

Severity: High

Threat Actor Profile & Methodology

• Threat Cluster: UAT-10608.
• Primary Objective: Mass automated extraction and exfiltration of credentials, SSH keys, cloud tokens, and environment secrets.
• Targeting Pattern: Indiscriminate scanning of public-facing web applications, likely utilizing services such as Shodan or Censys to identify vulnerable Next.js deployments.
• Exploitation Vector: CVE-2025-55182 (React2Shell). This vulnerability allows for arbitrary code execution in the server-side Node.js process by sending malicious serialized payloads to unauthenticated Server Function endpoints.
• Automated Post-Exploitation Framework:
  Once access is gained, the operation becomes fully automated:
  • A lightweight dropper is deployed, which retrieves a multi-phase credential harvesting script.
  • Scripts are executed stealthily using: /bin/sh -c nohup sh /tmp/..sh
  • No manual interaction is required after exploitation, enabling rapid scaling across hundreds of hosts.

Nexus Listener

The operation relies on a centralized C2 framework called NEXUS Listener to manage stolen data:

• Data Management: Features a web-based GUI (currently at version 3) that provides operators with analytical insights, search capabilities, and statistics on compromised hosts.
• Staged Delivery: Initial exploitation drops a small dropper in /tmp with a randomized name, which then fetches a multi-phase shell script to perform the actual harvesting.
• Exfiltration Mechanism: After each collection phase, the script makes an HTTP request back to the C2 (typically on port 8080) containing the victim’s hostname and the specific phase ID.

Stolen Data Categories

• Environment Secrets: Files like environ.txt and jsenv.txt contain API keys for AI platforms (OpenAI, Anthropic), payment processors (Stripe), and communication platforms (Telegram, SendGrid).
• Cloud & Infrastructure: The script queries IMDS for AWS, GCP, and Azure to obtain IAM role-associated temporary credentials. It also harvests Kubernetes service account tokens.
• Lateral Movement: 78% of hosts yielded PEM-encoded SSH private keys, posing a severe risk for lateral movement within shared key infrastructures.
• Supply Chain Risk: Evidence of package registry authentication (npm, pip) was found, which could enable attackers to publish malicious package versions.

Recommendations

1. Patch React2Shell (CVE-2025-55182) immediately in all Next.js/React Server Component environments.
2. Strictly use the NEXT_PUBLIC_ prefix only for variables intended to be public, and audit all existing variables for misclassification.
3. Review getServerSideProps and getStaticProps to ensure no secrets or server-only environment variables are passed to client components.
4. Utilize native secret scanning services from providers like AWS and GitHub to detect and alert on exposed credentials.
5. Enable IMDSv2 (AWS) to prevent metadata service abuse.
6. Avoid reusing SSH key pairs across different systems or environments.
7. Implement Runtime Application Self-Protection (RASP) or Web Application Firewall (WAF) rules tuned for Next.js attack patterns, specifically targeting SSR data injection points.
8. Organizations should investigate for the following artifacts on web application hosts:
   • Unexpected processes spawned from /tmp/ with randomized dot-prefixed names (e.g., /tmp/.e40e7da0c.sh)
   • nohup invocations in process listings not associated with known application workflows
   • Unusual outbound HTTP/S connections from application containers to non-production endpoints
   • Evidence of NEXT_DATA containing server-side secrets in rendered HTML
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/58a9032adb22520f4b18d8e037bdf4666a99f5de17d7a3d2338ba16720cef055/iocs

Source:

• https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.