TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security OWASP GenAI Security Project Gets Update, New Tools Matrix OWASP GenAI Security Project Gets Update, New Tools Matrix by Robert Lemos Apr 6, 2026 4 Min Read Remote Workforce Picking Up 'Skull Vibrations'? Could Be XR Headset Authentication Picking Up 'Skull Vibrations'? Could Be XR Headset Authentication by Alexander Culafi Apr 3, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyberattacks & Data Breaches Threat Intelligence Vulnerabilities & Threats Identity & Access Management Security News Automated Credential Harvesting Campaign Exploits React2Shell Flaw An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data. Elizabeth Montalbano , Contributing Writer April 6, 2026 3 Min Read Source: VIctor Koldunov via Alamy Stock Photo A global cross-industry credential theft campaign is exploiting public-facing Web applications vulnerable to React2Shell and then deploying an automated collection tool to steal credentials and other valuable system data for further malicious activity. Researchers at Cisco Talos discovered the campaign, which they attribute to a threat cluster tracked as UAT-10608 and that uses an automated credential-harvesting framework dubbed "NEXUS Listener," according to a report published last week. "The systematic exploitation and exfiltration campaign has resulted in the compromise of at least 766 hosts, as of time of writing, across multiple geographic regions and cloud providers," Cisco analysts Asheer Malhotra and Brandon White wrote in the post. Attackers target Next.js Web applications vulnerable to CVE-2025-55182 — a pre-authentication remote code execution (RCE) flaw better known as React2Shell that initially was discovered and subsequently widely exploited late last year — to gain initial access to victims' networks. React2Shell affects React Server Components (RSCs) and, if exploited, allows affected endpoints to deserialize payloads from inbound HTTP requests without adequate validation or sanitization. Related: Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate After successful compromise, attackers then deploy NEXUS Listener to steal credentials, SSH keys, cloud tokens, and environment secrets at scale from a system. They can then access this data in the tool's graphical user interface (GUI) that includes in-depth statistics and search capabilities to allow them to sift through it at will. Partially Automated Attack Sequence The campaign, which spans various industries and geographies, appears to be the work of skilled threat actors who use automation tools and services at their disposal to identify vulnerable systems and cast the widest attack net possible, the researchers observed. "The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities ," they wrote. Attackers only engage in the initial part of the attack before letting NEXUS Listener take over. The attack begins with identification of a publicly accessible Web app using a vulnerable version of RSCs or a framework built on top of it, such as Next.js. Attackers then craft a malicious serialized payload for React2Shell exploitation and use an HTTP request that's sent directly to a Server Function endpoint to send the payload, which requires no authentication, they said. "The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process," the researchers wrote. Related: Bank Trojan 'Casbaneiro' Worms Through Latin America Powerful Automation Tool Once attackers identify a vulnerable endpoint, there is no further manual interaction, with NEXUS Listener taking over to extract and exfiltrate credentials harvested from the system. The framework acts as both a command-and-control (C2) platform and an analytics dashboard. "This structured data collection significantly enhances the operational value of the breach , effectively turning stolen credentials into a searchable intelligence dataset," the researchers wrote. The automated tool's enhanced capabilities give attackers a range of malicious options for follow-up attack activity in which they can engage due to their opportunity to view a detailed map of victim infrastructure — including services, cloud usage, and integrations. These options include further attacks, social engineering campaigns, and sale of access to other threat actors, according to the researchers. Defense Recommendations Defending against UAT-10608's credential theft campaign begins with patching CVE-2025-55182 in all Next.js deployments, which, considering that attacks continue, still hasn't been done by many affected organizations. Related: AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection Defenders also should rotate all potentially exposed credentials and API keys, enforce least-privilege access , and avoid SSH key reuse to mitigate malicious activities like the ones conducted by the threat cluster, the researchers said. They also should restrict access to cloud metadata services, implement secrets scanning, and monitor for anomalous activity to avoid compromise. Security teams also can investigate for specific artifacts of a UAT-10608 attack on Web application hosts, including the following: unexpected processes spawned from /tmp/ with randomized dot-prefixed names, nohup invocations in process listings not associated with known application workflows, unusual outbound HTTP/S connections from application containers to non-production endpoints, and evidence of __NEXT_DATA__ containing server-side secrets in rendered HTML, according to Cisco Talos. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Cybersecurity Forecast 2026 Access More Research Webinars From Alerts to Outcomes: How Enterprise SOCs Measure What Matters Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars Editor's Choice Cybersecurity Operations RSAC 2026: AI Dominates, But Community Remains Key to Security RSAC 2026: AI Dominates, But Community Remains Key to Security by Kristina Beek , Rob Wright Apr 2, 2026 Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 2026 | 7 Min Read Threat Intelligence 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child Jan 30, 2026 | 8 Min Read Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Wed, May 6,2026 at 1pm EST Building a Robust SOC in a Post-AI World Thurs, March 19, 2026 at 1pm EST Retail Security: Protecting Customer Data and Payment Systems Thurs, April 2, 2026 a