Do Son 
NEXUS Listener victims list | Image: Cisco Talos
Cisco Talos has revealed a major automated credential harvesting campaign, tracked as UAT-10608, that has already compromised at least 766 hosts across multiple cloud providers and geographic regions.
The campaign is characterized by its “indiscriminate targeting pattern,” relying on automated scanners to find vulnerable entry points. The attackers are specifically hunting for Next.js applications vulnerable to a security flaw known as React2Shell (CVE-2025-55182) to gain their initial foothold.
Once inside, the threat actor deploys a sophisticated collection framework dubbed “NEXUS Listener”. This tool isn’t just a simple script; it is a multi-phase harvester designed to suck up every piece of sensitive data it can find, including:
- SSH Keys and Cloud Tokens.
- Environment Secrets and database credentials.
- Package Registry Tokens (like npm and pip), which could enable devastating supply chain attacks.
What sets UAT-10608 apart is its professionalized backend. The stolen information is funneled to a command-and-control (C2) server featuring a web-based graphical user interface (GUI).
As Cisco Talos researchers describe:
“The C2 hosts a web-based graphical user interface (GUI) titled ‘NEXUS Listener’ that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised”.
The true danger of this campaign lies in the “intelligence value” of the aggregate data. By harvesting environment secrets and cloud tokens at scale, the attackers aren’t just getting passwords; they are building a comprehensive blueprint of a victim’s entire digital ecosystem.
The report highlights the long-term risks:
“Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations’ infrastructure: what services they run, how they’re configured, what cloud providers they use, and what third-party integrations are in place”.
This map allows attackers to craft highly targeted follow-on strikes or sell specialized access to other cybercriminal groups.
For the hundreds of organizations already caught in the NEXUS net, the consequences go beyond security. The exposure of database credentials containing Personally Identifiable Information (PII) triggers immediate breach notification requirements under regulations like GDPR and CCPA.
Furthermore, the theft of payment integration keys (such as Stripe) or AI platform API keys can lead to significant financial loss through unauthorized transactions or usage charges.
To defend against UAT-10608 and similar automated threats, security experts recommend prioritizing the patching of web application frameworks and implementing strict secret management policies. Organizations should also rotate any potentially exposed credentials or SSH keys immediately, as attackers often retain access long after an initial compromise is remediated.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
