|
|
|
|
|
|
by mariocandela
187 days ago
|
|
|
So I run research honeypots (Beelzebub) and caught something wild this week. A threat actor is running a massive credential theft campaign against Next.js servers - I'm calling it "Operation PCPcat". The kicker? Their C2 infrastructure is completely exposed. Like, /stats endpoint showing live campaign metrics exposed. Amateur hour OpSec, but the operation itself is industrial-scale. What they're doing: Chaining CVE-2025-29927 + CVE-2025-66478 for RCE Harvesting .env files, SSH keys, AWS creds, Docker configs, Git credentials Dropping persistent backdoors Everything flows through their open C2 - task queues, exfil data, the works Happy to discuss in comments. |
|
|