Automated Credential Harvesting Campaign Exploits React2Shell Flaw

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE VULNERABILITIES & THREATS IDENTITY & ACCESS MANAGEMENT SECURITY NEWS Automated Credential Harvesting Campaign Exploits React2Shell Flaw An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data. Elizabeth Montalbano,Contributing Writer April 6, 2026 3 Min Read SOURCE: VICTOR KOLDUNOV VIA ALAMY STOCK PHOTO A global cross-industry credential theft campaign is exploiting public-facing Web applications vulnerable to React2Shell and then deploying an automated collection tool to steal credentials and other valuable system data for further malicious activity.  Researchers at Cisco Talos discovered the campaign, which they attribute to a threat cluster tracked as UAT-10608 and that uses an automated credential-harvesting framework dubbed "NEXUS Listener," according to a report published last week. "The systematic exploitation and exfiltration campaign has resulted in the compromise of at least 766 hosts, as of time of writing, across multiple geographic regions and cloud providers," Cisco analysts Asheer Malhotra and Brandon White wrote in the post. Attackers target Next.js Web applications vulnerable to CVE-2025-55182 — a pre-authentication remote code execution (RCE) flaw better known as React2Shell that initially was discovered and subsequently widely exploited late last year — to gain initial access to victims' networks. React2Shell affects React Server Components (RSCs) and, if exploited, allows affected endpoints to deserialize payloads from inbound HTTP requests without adequate validation or sanitization.  Related:Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate After successful compromise, attackers then deploy NEXUS Listener to steal credentials, SSH keys, cloud tokens, and environment secrets at scale from a system. They can then access this data in the tool's graphical user interface (GUI) that includes in-depth statistics and search capabilities to allow them to sift through it at will.  Partially Automated Attack Sequence Loading... The campaign, which spans various industries and geographies, appears to be the work of skilled threat actors who use automation tools and services at their disposal to identify vulnerable systems and cast the widest attack net possible, the researchers observed. "The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities," they wrote. Attackers only engage in the initial part of the attack before letting NEXUS Listener take over. The attack begins with identification of a publicly accessible Web app using a vulnerable version of RSCs or a framework built on top of it, such as Next.js.  Attackers then craft a malicious serialized payload for React2Shell exploitation and use an HTTP request that's sent directly to a Server Function endpoint to send the payload, which requires no authentication, they said. "The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process," the researchers wrote. Related:Bank Trojan 'Casbaneiro' Worms Through Latin America Powerful Automation Tool Once attackers identify a vulnerable endpoint, there is no further manual interaction, with NEXUS Listener taking over to extract and exfiltrate credentials harvested from the system. The framework acts as both a command-and-control (C2) platform and an analytics dashboard.  "This structured data collection significantly enhances the operational value of the breach, effectively turning stolen credentials into a searchable intelligence dataset," the researchers wrote. The automated tool's enhanced capabilities give attackers a range of malicious options for follow-up attack activity in which they can engage due to their opportunity to view a detailed map of victim infrastructure — including services, cloud usage, and integrations. These options include further attacks, social engineering campaigns, and sale of access to other threat actors, according to the researchers. Defense Recommendations Defending against UAT-10608's credential theft campaign begins with patching CVE-2025-55182 in all Next.js deployments, which, considering that attacks continue, still hasn't been done by many affected organizations. Related:AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection Defenders also should rotate all potentially exposed credentials and API keys, enforce least-privilege access, and avoid SSH key reuse to mitigate malicious activities like the ones conducted by the threat cluster, the researchers said. They also should restrict access to cloud metadata services, implement secrets scanning, and monitor for anomalous activity to avoid compromise. Security teams also can investigate for specific artifacts of a UAT-10608 attack on Web application hosts, including the following: unexpected processes spawned from /tmp/ with randomized dot-prefixed names, nohup invocations in process listings not associated with known application workflows, unusual outbound HTTP/S connections from application containers to non-production endpoints, and evidence of __NEXT_DATA__ containing server-side secrets in rendered HTML, according to Cisco Talos. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Cybersecurity Forecast 2026 Access More Research Webinars From Alerts to Outcomes: How Enterprise SOCs Measure What Matters Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES After Pahalgam Attack, Hacktivists Unite Under #OpIndia by Nate Nelson, Contributing Writer MAY 09, 2025 CYBERATTACKS & DATA BREACHES Despite Arrests, Scattered Spider Continues High-Profile Hacking by Rob Wright MAY 02, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE