Automated reconnaissance via Shodan and Censys
Exploitation of CVE-2025-55182 (React2Shell) for Remote Code Execution
Deployment of the NEXUS Listener collection framework
Multi-phase automated scripts for exfiltrating environment variables, SSH keys, and cloud metadata
C2 communication via HTTP on port 8080
Use of customized GUI for managing stolen credential databases