UAT-10608 Next.js credential-theft campaign
Campaign
Summary
Hide ▲
Show ▼
The UAT-10608 campaign is rapidly stealing credentials from vulnerable Next.js apps after exploitation of CVE-2025-55182, exposing cloud accounts and secrets. The operators use NEXUS Listener to automate harvesting and exfiltration across 766 compromised hosts in 24 hours. The scale of the operation raises risk of account takeover, lateral movement, and supply-chain abuse.
Related Happenings
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
How related:
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveHow related: Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
How related:
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
About this happening:
**React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
VulnerabilityHow related: Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
Latest development: 09.03.2026 23:45
Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
UAT-8837 campaign targeting North American critical infrastructure for initial access
Campaign
First: 16.01.2026 09:18
Last: 16.01.2026 09:18
Sources 1
About this happening:
**UAT-8837** is a **China-nexus** campaign targeting **North American critical infrastructure** for **initial access**, with activity reported since **at least 2025**. The actor g...
UAT-8837 campaign targeting North American critical infrastructure for initial access
CampaignAbout this happening: **UAT-8837** is a **China-nexus** campaign targeting **North American critical infrastructure** for **initial access**, with activity reported since **at least 2025**. The actor g...
UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations
Threat Actor Meta
First: 08.01.2026 16:54
Last: 08.01.2026 16:54
Sources 1
About this happening:
**UAT-7290** is being assessed as a **dual-role** China-nexus actor that combines **espionage intrusions** with **initial access** activity, expanding the threat ecosystem beyond...
UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations
Threat Actor MetaAbout this happening: **UAT-7290** is being assessed as a **dual-role** China-nexus actor that combines **espionage intrusions** with **initial access** activity, expanding the threat ecosystem beyond...
Timeline
-
05.04.2026 17:17 2 articles · 1mo ago
UAT-10608 Next.js credential-theft campaign
Campaign Scope UpdateA large-scale credential-theft campaign targeting vulnerable Next.js apps used React2Shell (CVE-2025-55182) to breach systems, deploy a multi-phase harvesting script in a temporary directory, and exfiltrate database credentials, AWS credentials, SSH private keys, API keys, cloud tokens, environment secrets, Kubernetes tokens, Docker or container information, command history, and process or runtime data. Cisco Talos attributed the activity to UAT-10608, identified NEXUS Listener as the command-and-control framework, and reported that the automated operation compromised 766 hosts within a 24-hour period across multiple cloud providers and geographies.
Show sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
- Automated Credential Harvesting Campaign Exploits React2Shell Flaw — www.darkreading.com — 06.04.2026 18:31