← All Threat Actors
Threat Actor Profile

UAT-10608

No known aliases in database
▲ High Threat
React2Shell Credential Harvesting
Origin China
Sponsor China state-nexus
Motivation Credential harvesting and intelligence gathering for further network infiltration

Target Sectors

Next.js web applications Cloud infrastructure (AWS, Azure, GCP) AI platforms (OpenAI, Anthropic, Nvidia NIM) Payment processors (Stripe) Code repositories (GitHub)

Known TTPs

Automated reconnaissance via Shodan and Censys
Exploitation of CVE-2025-55182 (React2Shell) for Remote Code Execution
Deployment of the NEXUS Listener collection framework
Multi-phase automated scripts for exfiltrating environment variables, SSH keys, and cloud metadata
C2 communication via HTTP on port 8080
Use of customized GUI for managing stolen credential databases

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD