UAT-10608 Campaign Abuses React2Shell for Cloud Credential Harvesting (Campaign)
ID: 1c8aa132-0890-5d23-ae4c-e76cc5a62bc3
STIX ID: report--1c8aa132-0890-5d23-ae4c-e76cc5a62bc3
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2026-04-02
Date Updated: 2026-05-01
Author: [email protected] (Wiz Threat Research)
An automated campaign attributed to threat cluster UAT-10608 is exploiting CVE-2025-55182 (React2Shell) in Next.js installations to achieve pre-authentication RCE and deploy a multi-stage credential-harvesting framework that collects cloud credentials, SSH keys, environment variables, Kubernetes tokens, and exfiltrates them to a centralized C2 labeled “NEXUS Listener,” impacting hundreds of hosts and cloud environments.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.