A classy credential-stealing marketing campaign named “Operation PCPcat” has compromised over 59,000 Subsequent.js servers worldwide, exploiting important vulnerabilities within the fashionable React framework to reap delicate authentication information at industrial scale.
Safety researchers found the marketing campaign by way of honeypot monitoring and gained direct entry to the attackers’ command-and-control infrastructure, revealing alarming operational metrics.
The marketing campaign maintains a 64.6% exploitation success charge, with 59,128 confirmed server compromises and roughly 300,000 to 590,000 credential units stolen.
The risk actors leverage two important vulnerabilities CVE-2025-29927 and CVE-2025-66478 to realize distant code execution in Subsequent.js deployments.
The assault chain begins with mass scanning of public Subsequent.js domains, adopted by prototype air pollution assaults that inject malicious instructions by way of JSON payload manipulation.
As soon as inside a goal system, the malware executes a scientific information extraction routine prioritizing .env recordsdata, SSH personal keys, cloud credentials, and system surroundings variables.
The marketing campaign’s command-and-control infrastructure, hosted in Singapore at 67.217.57.240, operates by way of 4 major API endpoints that assign scanning targets, settle for exfiltrated information, and supply operational statistics.
Notably, the C2 server exposes its full marketing campaign metrics by way of an unauthenticated GET/stats endpoint, revealing that attackers have scanned 91,505 IP addresses with indiscriminate focusing on.
For persistence, the malware installs GOST proxy software program and Quick Reverse Proxy (FRP) elements, creating systemd companies that survive system reboots.
The assault infrastructure permits steady scanning, with every compromised machine querying the C2 server for two,000 new targets each 45 minutes, doubtlessly compromising 41,000 extra servers each day.
The marketing campaign demonstrates traits of large-scale intelligence operations, with attackers displaying superior understanding of Subsequent.js internals and cloud infrastructure.
In line with Beelzebub, the malware particularly targets AWS credentials, Docker configurations, GitHub tokens, and different cloud-native authentication mechanisms generally saved in growth environments.
Organizations utilizing Subsequent.js ought to instantly audit their deployments for unauthorized entry, evaluate .env file contents, rotate all uncovered credentials, and implement community segmentation.
Safety groups can detect compromise by way of Suricata guidelines monitoring for prototype air pollution makes an attempt, YARA signatures figuring out the “pcpcat” malware, and behavioral evaluation of child_process execution patterns.
The marketing campaign’s public C2 metrics recommend attackers could also be unaware defenders have mapped their infrastructure, offering a slim window for proactive protection earlier than the risk actors adapt their techniques.
Indicators of Compromise (IoCs)
C2 Infrastructure
67.217.57.240:666 - Distribution server (payload internet hosting)
67.217.57.240:888 - FRP C2 (reverse tunneling)
67.217.57.240:5656 - Foremost C2 API (job project, information exfiltration)API Endpoints
http://67.217.57.240:5656/domains - Goal project (fetches 2000 IPs)
http://67.217.57.240:5656/consequence - Information exfiltration (accepts credential POST)
http://67.217.57.240:5656/well being - Well being examine
http://67.217.57.240:5656/stats - Operational metrics (EXPOSES CAMPAIGN DATA)
http://67.217.57.240:666/recordsdata/proxy.sh - Persistence installer
http://67.217.57.240:666/recordsdata/react.py - Scanner/exploit moduleComply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most popular Supply in Google.
