Operation PCPcat credential-exfiltration campaign
Campaign
Summary
Hide ▲
Show ▼
The Operation PCPcat campaign is now linked to industrial-scale data exfiltration, with defenders estimating 59,128 servers already breached. The operation leverages React2Shell / CVE-2025-55182 exploitation to harvest credentials and sensitive data from compromised environments. Its breadth and tooling point to a sustained intelligence-gathering effort rather than a single-victim intrusion.
Related Happenings
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical Analysis
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
**Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
Campaign
First: 09.03.2026 09:21
Last: 09.03.2026 09:21
Sources 1
About this happening:
A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
CampaignAbout this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
How related:
The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, Google identifying at least five China-nexus groups that have weaponized to deliver an array of payloads -
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveHow related: The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, Google identifying at least five China-nexus groups that have weaponized to deliver an array of payloads -
About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
UAT-7290 long-running telecom espionage campaign
Campaign
First: 08.01.2026 18:00
Last: 08.01.2026 18:00
Sources 1
About this happening:
**UAT-7290** is running a **long-running cyber-espionage campaign** against **telecommunications providers** in South Asia, with recent expansion into Southeastern Europe. The ope...
UAT-7290 long-running telecom espionage campaign
CampaignAbout this happening: **UAT-7290** is running a **long-running cyber-espionage campaign** against **telecommunications providers** in South Asia, with recent expansion into Southeastern Europe. The ope...
Timeline
-
16.12.2025 10:21 2 articles · 5mo ago
Operation PCPcat React2Shell campaign expands
Campaign Scope UpdateReact2Shell/CVE-2025-55182 exploitation has been linked to the Operation PCPcat campaign, with Linux backdoors such as KSwapDoor and ZnDoor, credential theft, secret discovery using TruffleHog and Gitleaks, reverse shells, SOCKS5 proxying, Cloudflare Tunnel evasion, and persistence on compromised hosts. Defenders estimate 59,128 breached servers and track more than 111,000 vulnerable IP addresses, while activity has also been associated with Japan and multiple China-nexus groups.
Show sources
- React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors — thehackernews.com — 16.12.2025 10:21
- React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors — thehackernews.com — 16.12.2025 10:21