Ddos 
A highly automated and ruthlessly efficient cyber-espionage campaign is tearing through the cloud infrastructure of modern web applications, leaving tens of thousands of compromised servers in its wake. A new report from The Beelzebub Research Team details the discovery of “PCPcat,” a campaign that has weaponized vulnerabilities in the popular Next.js and React frameworks to achieve a staggering infection rate.
Discovered via a Docker honeypot, the campaign is characterized by its blistering speed. By exploiting CVE-2025-29927 and CVE-2025-66478, the attackers have managed to compromise 59,128 servers in less than two days.
The attack group, identified by the signature “PCP” found in their files, is not merely defacing websites. They are conducting a massive data harvesting operation. The malware systematically hunts for the “keys to the kingdom”—cloud credentials, SSH keys, and environment variables (.env files) that allow for deeper network pivoting.
“The campaign shows characteristics of large-scale intelligence operations and data exfiltration on an industrial scale,” the report states.
The attackers utilize a sophisticated exploit chain involving JSON payload manipulation and prototype pollution to achieve Remote Code Execution (RCE). Once inside, the malware installs a persistent backdoor using GOST (a SOCKS5 proxy) and FRP (Fast Reverse Proxy), effectively turning the compromised server into a zombie node in their botnet .
What shocked researchers most was the efficiency of the campaign. Unlike “spray and pray” attacks that often have low yield, PCPcat is hitting its targets with terrifying accuracy.
“CRITICAL FINDING: Through direct reconnaissance of the active C2 server, we confirmed that this campaign has already compromised 59,128 servers in less than 48 hours, with a 64.6% exploitation success rate”.
This anomalously high success rate suggests the attackers are using a highly curated target list or that the vulnerability is extremely widespread and unpatched.
Ironically, while the attackers are exploiting security gaps in others, their own infrastructure is wide open. The researchers found that the Command and Control (C2) API, hosted in Singapore, lacked basic authentication.
“No authentication/authorization: Anyone can access endpoints,” the analysis revealed.
This oversight allowed researchers to query the C2 server directly, exposing the full scope of the operation. They discovered that the campaign’s “random_ips” mode was scanning over 91,000 targets, revealing a complete lack of discrimination in who they attacked.
The implications of this speed are dire. With the campaign processing roughly 32 batches of targets per day, the infection count is climbing by the hour.
“At the current pace, the campaign could compromise over 1.2 million servers within a month”.
Organizations running public-facing Next.js or React applications are urged to patch immediately, block the identified C2 IP (67.217.57.240), and rotate any credentials that may have been exposed in environment files.
Related Posts:
- Next.js Flaw (CVE-2025-49826, CVSS 7.5): Cache Poisoning Leads to Denial-of-Service
- Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0)
- Next.js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
- CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
- CVE-2025-48947: Session Cookies at Risk in Auth0 Next.js SDK
Donate