Cisco Talos has uncovered an extensive automated credential harvesting operation conducted by a threat actor network tracked as ‘UAT-10608’. The operation involves the use of the ‘NEXUS Listener’ framework to extract and exfiltrate credentials from various web applications. Up to 766 compromised hosts in multiple geographic regions and cloud providers have been identified. The attacks begin by probing Next.js applications vulnerable to CVE-2025-55182 (React2Shell) for initial access. Subsequently, a multi-phase tool is deployed that extracts credentials, SSH keys, and AWS tokens.
UAT-10608: Large-Scale Automated Credential Harvesting Operation Targeting Web Applications
Summary: Cisco Talos discovers a massive automated credential harvesting operation conducted by a threat actor network tracked as ‘UAT-10608’. The operation involves extensive use of the ‘NEXUS Listener’ framework to extract and exfiltrate credentials from various web applications, with up to 766 compromised hosts in multiple geographic regions and cloud providers. The attacks start by probing Next.js applications vulnerable to CVE-2025-55182 (React2Shell) for initial access. Subsequently, a multi-phase tool is deployed to extract credentials, SSH keys, and AWS tokens.
Key facts
- Large-scale credential harvesting operation UAT-10608.
- Framework NEXUS Listener used for data exfiltration.
- 766 compromised hosts in multiple geographic regions and cloud providers.
- Initial attack on Next.js applications vulnerable to CVE-2025-55182 (React2Shell).
Why it matters
This operation poses a significant risk to sensitive data across multiple organizations and exposes database credentials, SSH keys, and AWS tokens. Mitigation measures include addressing known vulnerabilities and implementing better security practices.
Key metrics
- Database credentials: ~701 (91.5%)
- Private SSH keys: ~599 (78.2%)
- AWS credentials: ~196 (25.6%)