Massive PCPcat Cyberattack Compromises Over 59,000 Next.js and React Servers in 48 Hours
In a swift and alarming cyberattack, a campaign known as PCPcat has successfully compromised 59,128 Next.js servers within a mere 48-hour period. This operation exploited critical vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478, achieving a staggering 64.6% success rate across 91,505 scanned targets.
Exploitation Mechanism
The attackers deployed scanners distributed via the react.py malware to probe public-facing Next.js deployments for remote code execution (RCE) flaws. By leveraging prototype pollution techniques within JSON payloads, they injected malicious commands through the `child_process.execSync()` function. To confirm the presence of RCE vulnerabilities, the attackers executed a simple ‘id’ command before proceeding to extract sensitive credentials.
Credential Extraction
Once a server was compromised, the attackers systematically harvested a wide array of sensitive information, including:
– Environment variables from `.env` files
– SSH private keys
– AWS configuration files
– Docker authentication tokens
– Git credentials
– Bash command history
This extensive data collection poses significant risks, as it can lead to unauthorized access to various services and infrastructure components.
Establishment of Persistent Access
Following the initial compromise, the attackers downloaded a script named `proxy.sh` from the IP address 67.217.57.240:666. This script installed several tools to maintain persistent access to the compromised servers:
– GOST SOCKS5 Proxy: Facilitates the creation of proxy servers, allowing attackers to route their traffic through the compromised machines.
– FRP (Fast Reverse Proxy): Enables reverse tunneling, allowing external access to internal services.
– Systemd Services: Services like `pcpcat-gost.service` were set up to ensure the persistence of these tools across system reboots.
Command and Control (C2) Infrastructure
The attackers’ command-and-control server, located at 67.217.57.240:5656, operated an unauthenticated API that publicly exposed various statistics and functionalities:
– /stats Endpoint: Revealed campaign metrics, including the total number of IPs scanned (91,505) and successful compromises (59,128).
– /domains?client=
– /result Endpoint: Collected exfiltrated data, accepting JSON payloads up to 2MB in size.
– /health Endpoint: Monitored the health status of the C2 server.
Notably, reconnaissance efforts using honeypots confirmed data ingestion by the domain `beelzebub.ai`, with FRP tunneling on port 888 facilitating further network pivoting.
Indicators of Compromise (IoCs)
Security teams should be vigilant for the following IoCs associated with the PCPcat campaign:
– C2 IP Addresses: 67.217.57.240 on ports 666, 888, and 5656.
– File Artifacts: Presence of files in `/opt/pcpcat/` and the existence of `~/.pcpcat_installed`.
– Processes: Running instances of `gost` with parameters like `-L socks5://:1080` and `frpc`.
– Log Entries: Strings such as UwU PCP Cat was here~ and references to the Telegram channel `t.me/Persy_PCP`.
Additionally, honeypot deployments have captured instances of Docker API abuse on port 2375, indicating attempts to establish containerized persistence mechanisms.
Detection and Mitigation Strategies
To detect and mitigate the impact of the PCPcat campaign, organizations should implement the following measures:
– Suricata Rules: Deploy alerts for POST requests to the `/result` endpoint containing env payloads.
– YARA Rules: Create rules to identify strings within `react.py` such as CVE-2025-29927 and PCPcat.
– Patch Management: Immediately apply patches addressing CVE-2025-29927 and CVE-2025-66478 to all Next.js and React deployments.
– Credential Rotation: Rotate all potentially compromised credentials, including SSH keys, AWS secrets, and Docker tokens.
– System Monitoring: Regularly monitor system logs and processes for anomalies, particularly the presence of unauthorized systemd services or unexpected network connections.
Attribution and Broader Implications
The PCPcat campaign has been linked to the entity PCP Cat, as evidenced by references in Telegram channels such as `t.me/teampcp`. The tactics employed align with several MITRE ATT&CK techniques, including:
– T1190: Exploitation of public-facing applications.
– T1552: Unsecured credential access.
Projections estimate that the campaign could lead to approximately 41,000 daily compromises, resulting in the harvesting of over 300,000 credentials. These credentials could be utilized for unauthorized cloud service access or sold on underground markets, posing significant risks to affected organizations.
Conclusion
The PCPcat cyberattack underscores the critical importance of timely vulnerability management and proactive security measures. Organizations utilizing Next.js and React frameworks must prioritize patching known vulnerabilities, implementing robust monitoring systems, and educating their teams on emerging threats to safeguard their infrastructure against such sophisticated attacks.
