Operation PCPcat: Hunting a Next.js Credential Stealer That's Already Compromised 59K Servers
Summary:
During monitoring of one of their Docker honeypots, the Beelzebub Research Team identified the PCPcat campaign, a highly sophisticated cyber-espionage operation targeting cloud infrastructure and development environments by exploiting CVE-2025-29927 and CVE-2025-55182 in Next.js and React frameworks to deploy PCPcat. Utilizing JSON payload manipulation and prototype pollution to achieve RCE, the threat actors, which were identified by the signature "PCP", have compromised 59,128 servers in less than 48 hours with a 64.6% success rate. The operation focuses on large intelligence operations enabled by industrial-scale data exfiltration, specifically targeting cloud credentials, SSH keys, and .env files, while establishing persistence via GOST and FRP to create botnet nodes. Researchers targeted the attacker's unauthenticated C2 API hosted in Singapore to reveal a "random_ips" scanning mode targeting over 91,000 systems.
Security Officer Comments:
The threat actors left an opening for the researchers by leaving their C2 API publicly accessible, providing them with unexpected visibility to provide critical findings. Given the use of legitimate tools like GOST and FRP for pivoting and persistence, defenders should monitor for unauthorized usage of these often-abused open-source tools alongside practicing regular vulnerability management to mitigate this rapidly expanding threat. Organizations are advised to patch any unpatched public Next.js/React deployments immediately, block the C2 IP (67[.]217[.]57[.]240), and rotate credentials, as the campaign is projected to potentially compromise 1.2 million servers at the current pace within a month.
Suggested Corrections:
IOCs: https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/#indicators-of-compromise-iocs
Organizations at risk include any unpatched public Next.js/React deployment, cloud infrastructure on AWS, Azure, or GCP, and development environments with exposed .env files or SSH keys.
The threat level is critical. Recommended actions include immediate interventions such as applying patches, blocking C2 infrastructure, and rotating credentials, followed by comprehensive incident response and, in the long term, implementing zero-trust architectures and continuous monitoring.
Link(s):
https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/
During monitoring of one of their Docker honeypots, the Beelzebub Research Team identified the PCPcat campaign, a highly sophisticated cyber-espionage operation targeting cloud infrastructure and development environments by exploiting CVE-2025-29927 and CVE-2025-55182 in Next.js and React frameworks to deploy PCPcat. Utilizing JSON payload manipulation and prototype pollution to achieve RCE, the threat actors, which were identified by the signature "PCP", have compromised 59,128 servers in less than 48 hours with a 64.6% success rate. The operation focuses on large intelligence operations enabled by industrial-scale data exfiltration, specifically targeting cloud credentials, SSH keys, and .env files, while establishing persistence via GOST and FRP to create botnet nodes. Researchers targeted the attacker's unauthenticated C2 API hosted in Singapore to reveal a "random_ips" scanning mode targeting over 91,000 systems.
Security Officer Comments:
The threat actors left an opening for the researchers by leaving their C2 API publicly accessible, providing them with unexpected visibility to provide critical findings. Given the use of legitimate tools like GOST and FRP for pivoting and persistence, defenders should monitor for unauthorized usage of these often-abused open-source tools alongside practicing regular vulnerability management to mitigate this rapidly expanding threat. Organizations are advised to patch any unpatched public Next.js/React deployments immediately, block the C2 IP (67[.]217[.]57[.]240), and rotate credentials, as the campaign is projected to potentially compromise 1.2 million servers at the current pace within a month.
Suggested Corrections:
IOCs: https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/#indicators-of-compromise-iocs
Organizations at risk include any unpatched public Next.js/React deployment, cloud infrastructure on AWS, Azure, or GCP, and development environments with exposed .env files or SSH keys.
The threat level is critical. Recommended actions include immediate interventions such as applying patches, blocking C2 infrastructure, and rotating credentials, followed by comprehensive incident response and, in the long term, implementing zero-trust architectures and continuous monitoring.
Link(s):
https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/