A brand new malware marketing campaign referred to as PCPcat has efficiently compromised greater than 59,000 servers in below 48 hours via focused exploitation of crucial vulnerabilities in Subsequent.js and React frameworks.
The malware targets Subsequent.js deployments by exploiting two crucial vulnerabilities, CVE-2025-29927 and CVE-2025-66478, which permit distant code execution with out authentication.
The assault makes use of prototype air pollution and command injection methods to execute dangerous instructions on susceptible servers.
The marketing campaign has proven a 64.6 % success price, which is unusually excessive for such operations. PCPcat scans public-facing Subsequent.js purposes at scale, testing 2,000 targets in every batch and working these scans each 30 to 60 minutes.
The malware operates by way of a command-and-control server in Singapore that orchestrates the operation throughout three major ports.
Port 666 serves because the distribution heart for dangerous payloads, port 888 handles reverse tunnel connections, and port 5656 runs the primary management server that assigns targets and collects stolen knowledge.
Throughout lively monitoring of Docker honeypots, the marketing campaign found the operation’s full infrastructure via reconnaissance of the command and management server.
Safety analysts at Beelzebub recognized that the malware first assessments targets with a easy command to verify if they’re susceptible earlier than launching the complete assault chain.
As soon as a susceptible server is discovered, it extracts surroundings recordsdata, cloud credentials, SSH keys, and command historical past recordsdata.
The stolen info will get despatched again to the management server via easy HTTP requests that require no authentication.
After stealing credentials, the malware makes an attempt to put in further instruments for long-term entry. It downloads a script that units up GOST proxy software program and FRP reverse tunneling instruments on the compromised server.
These instruments create hidden channels that enable attackers to take care of entry even after the preliminary vulnerability is patched.
Exploit Mechanism and Code Execution
The assault works by sending a specifically crafted JSON payload to susceptible Subsequent.js servers.
This payload manipulates the JavaScript prototype chain and injects instructions into the kid course of execution perform.
The malware makes use of the next construction:-
payload = {
“then”: “$1:__proto__:then”,
“standing”: “resolved_model”,
“_response”: {
“_prefix”: “var res=course of.mainModule.require(‘child_process’)
.execSync(‘COMMAND_HERE’).toString();”
}
}
This payload forces the server to run any command the attacker desires. The outcomes get returned via a specifically formatted redirect header, permitting the malware to extract knowledge with out elevating instant suspicion.
The malware then systematically searches for invaluable recordsdata like AWS credentials within the .aws folder, Docker configuration recordsdata, Git credentials, and bash historical past containing just lately used instructions.
To take care of persistence, the malware creates a number of system companies that restart robotically if stopped or if the server reboots.
These companies run the proxy and scanning instruments repeatedly, maintaining the compromised server lively within the botnet. The set up occurs in a number of areas to make sure a minimum of one copy survives safety cleanup efforts.
Community directors can detect this exercise by monitoring connections to the command server IP handle 67.217.57.240 on ports 666, 888, and 5656, in search of systemd companies with names containing pcpcat, and checking for uncommon outbound connections carrying JSON knowledge containing surroundings variables or credentials.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
