A large-scale, highly automated cyberespionage campaign is systematically targeting the cloud infrastructure that supports numerous modern web applications. In less than 48 hours, tens of thousands of servers have been compromised through the targeted exploitation of known vulnerabilities in widely used frameworks.
The operation is documented in a report published by the Beelzebub Research Team , which has identified the campaign as PCPcat . The activity emerged from observations of a Docker honeypot and immediately demonstrated exceptional execution speed.
Attackers exploited vulnerabilities CVE-2025-29927 and CVE-2025-66478 in Next.js and React , compromising 59,128 servers in less than two days .
The responsible group, recognizable by the “PCP” signature embedded in the malicious files, isn’t limited to simply altering websites. Their primary goal appears to be the systematic collection of sensitive information. The malware is designed to target cloud credentials, SSH keys, and configuration files containing environment variables, particularly .env files, which enable further lateral movement within compromised networks.
According to researchers, the operation exhibits the hallmarks of large-scale intelligence operations , with data exfiltration occurring on an industrial scale. The attack chain relies on advanced techniques that include JSON payload manipulation, allowing attackers to achieve remote code execution on vulnerable systems.
Once access is gained, the malware establishes persistence by installing a backdoor using GOST , a SOCKS5 proxy, and FRP (Fast Reverse Proxy) . This way, the compromised servers are integrated into a botnet and transformed into remotely controllable nodes.
What most impressed analysts was the effectiveness of the operation. Unlike many automated campaigns based on random attempts, PCPcat demonstrated high accuracy. Direct analysis of the C2 server confirmed an exploitation success rate of 64.6% , an anomalous value that suggests the use of a select list of targets or a very widespread distribution of unpatched vulnerabilities.
The investigation also revealed a serious weakness in the attackers’ infrastructure. The C2 server, located in Singapore , was completely lacking authentication mechanisms. This flaw allowed researchers to freely access the API endpoints and reconstruct the true extent of the campaign.
The data collected revealed that the “random_ips” mode was scanning over 91,000 potential targets , with no apparent selection criteria. The operation is operating at a particularly rapid pace: approximately 32 batches of targets are processed each day , with the number of compromised systems constantly increasing.
If continued at this rate, the campaign could affect more than 1.2 million servers within a month , with potentially serious consequences for the security of cloud infrastructure exposed to the Internet.
In light of these elements, organizations using publicly accessible Next.js or React applications are advised to urgently apply available security patches, block the identified C2 server IP address ( 67.217.57[.]240 ), and rotate all credentials that may have been exposed through environment files.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
