Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours

   December 24, 2025  Posted in CyberSecurityNews

Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours

A massive credential-theft campaign dubbed PCPcat compromised 59,128 Next.js servers in under 48 hours. The operation exploits critical vulnerabilities CVE-2025-29927 and CVE-2025-66478, achieving a 64.6% success rate across 91,505 scanned targets.

PCPCat scanners, distributed via react.py malware, probe public Next.js deployments for remote code execution flaws. Attackers use prototype pollution in JSON payloads to inject commands via child_process.execSync(), confirming RCE with an ‘id’ test before extracting credentials from .env files, SSH keys, AWS configs, Docker tokens, Git credentials, and bash history.

According to Mario Candela’s analysis, the compromised hosts then download proxy.sh from 67.217.57.240:666, installing GOST SOCKS5 proxy, FRP reverse tunnels, and persistent systemd services like pcpcat-gost.service.

C2 Infrastructure Exposed

The command-and-control server at 67.217.57.240:5656 runs an unauthenticated API, publicly leaking stats via GET /stats: 91,505 IPs scanned, 59,128 successes, batch size of 2,000 random IPs.

Nodes fetch targets via GET /domains?client=, exfiltrate data through POST /result (up to 2MB JSON payloads), and check health at /health. Candela’s honeypot reconnaissance confirmed data ingestion, with FRP tunneling on port 888 enabling pivoting.

Endpoint Purpose Status
/domains?client= Target assignment Active
/result Credential exfiltration Accepts data
/stats Campaign metrics Exposes 59K compromises
/health Server check Responsive

Key IoCs include C2 IPs (67.217.57.240 ports 666/888/5656), files (/opt/pcpcat/*, ~/.pcpcat_installed), processes (gost -L socks5://:1080, frpc), and logs (“UwU PCP Cat was here~”, t.me/Persy_PCP). Honeypots captured Docker API abuse on port 2375 for containerized persistence.

google

Detection rules cover Suricata alerts for /result POSTs with “env” payloads and YARA for react.py strings like “CVE-2025-29927” and “PCPcat”.

Attributed to “PCP Cat” via Telegram channels t.me/teampcp, the campaign maps to MITRE ATT&CK techniques like T1190 (public app exploit) and T1552 (unsecured credentials).

Projections estimate 41,000 daily compromises, resulting in the harvesting of 300K+ credentials for cloud takeovers or resale. Next.js users must patch urgently, block C2 domains, rotate keys, and monitor for systemd anomalies.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

googlenews



Source link