UAT-10608

Also known as: UAT-10608

UAT-10608 is a threat cluster observed by Cisco Talos conducting a large-scale, automated credential-harvesting campaign against public-facing web applications, especially Next.js deployments, using a custom framework called NEXUS Listener to extract and exfiltrate secrets such as credentials, SSH keys, cloud tokens, and API keys. The activity has been linked to broad opportunistic scanning and at least 766 compromised hosts across multiple regions and cloud providers.

Introduction

UAT-10608 is a threat cluster observed by Cisco Talos conducting a large-scale, automated credential-harvesting campaign against public-facing web applications, especially Next.js deployments, using a custom framework called NEXUS Listener to extract and exfiltrate secrets such as credentials, SSH keys, cloud tokens, and API keys. The activity has been linked to broad opportunistic scanning and at least 766 compromised hosts across multiple regions and cloud providers.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CloudDuke
  • CrossRat

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.