An enormous credential-theft marketing campaign dubbed PCPcat compromised 59,128 Subsequent.js servers in underneath 48 hours. The operation exploits crucial vulnerabilities CVE-2025-29927 and CVE-2025-66478, attaining a 64.6% success fee throughout 91,505 scanned targets.
PCPCat scanners, distributed by way of react.py malware, probe public Subsequent.js deployments for distant code execution flaws. Attackers use prototype air pollution in JSON payloads to inject instructions by way of child_process.execSync(), confirming RCE with an ‘id’ check earlier than extracting credentials from .env recordsdata, SSH keys, AWS configs, Docker tokens, Git credentials, and bash historical past.
Based on Mario Candela’s evaluation, the compromised hosts then obtain proxy.sh from 67.217.57.240:666, putting in GOST SOCKS5 proxy, FRP reverse tunnels, and protracted systemd providers like pcpcat-gost.service.
C2 Infrastructure Uncovered
The command-and-control server at 67.217.57.240:5656 runs an unauthenticated API, publicly leaking stats by way of GET /stats: 91,505 IPs scanned, 59,128 successes, batch dimension of two,000 random IPs.
Nodes fetch targets by way of GET /domains?consumer=, exfiltrate knowledge by means of POST /outcome (as much as 2MB JSON payloads), and examine well being at /well being. Candela’s honeypot reconnaissance confirmed knowledge ingestion, with FRP tunneling on port 888 enabling pivoting.
EndpointPurposeStatus/domains?consumer=Goal assignmentActive/resultCredential exfiltrationAccepts knowledge/statsCampaign metricsExposes 59K compromises/healthServer checkResponsive
Key IoCs embody C2 IPs (67.217.57.240 ports 666/888/5656), recordsdata (/choose/pcpcat/*, ~/.pcpcat_installed), processes (gost -L socks5://:1080, frpc), and logs (“UwU PCP Cat was right here~”, t.me/Persy_PCP). Honeypots captured Docker API abuse on port 2375 for containerized persistence.
Detection guidelines cowl Suricata alerts for /outcome POSTs with “env” payloads and YARA for react.py strings like “CVE-2025-29927” and “PCPcat”.
Attributed to “PCP Cat” by way of Telegram channels t.me/teampcp, the marketing campaign maps to MITRE ATT&CK strategies like T1190 (public app exploit) and T1552 (unsecured credentials).
Projections estimate 41,000 each day compromises, ensuing within the harvesting of 300K+ credentials for cloud takeovers or resale. Subsequent.js customers should patch urgently, block C2 domains, rotate keys, and monitor for systemd anomalies.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
