A new malware campaign dubbed PCPcat has rapidly compromised over 59,000 servers in less than 48 hours by exploiting critical vulnerabilities in Next.js and React frameworks. This widespread attack highlights a significant security gap in popular web development tools, leaving a substantial number of servers vulnerable to unauthorized access and data theft. The PCPcat malware leverages specific flaws within these frameworks to gain remote access without requiring any user authentication.
The perpetrators behind PCPcat are targeting Next.js deployments by exploiting two critical vulnerabilities, identified as CVE-2025-29927 and CVE-2025-66478. These exploits allow for remote code execution, meaning attackers can run commands on the vulnerable servers from anywhere. The campaign exhibits an unusually high success rate of 64.6 percent, indicating sophisticated targeting and exploitation techniques. PCPcat actively scans public-facing Next.js applications, testing approximately 2,000 targets in batches every 30 to 60 minutes.
PCPcat’s Exploitation Mechanism and Command and Control Infrastructure
The PCPcat malware operates through a sophisticated command-and-control (C2) infrastructure based in Singapore. This C2 server orchestrates the campaign across three primary ports. Port 666 acts as the distribution hub for malicious payloads, while port 888 is utilized for establishing reverse tunnel connections. The main control server, running on port 5656, is responsible for assigning targets to infected machines and collecting any stolen data.
Security analysts from Beelzebub, who actively monitored Docker honeypots, were able to uncover the complete operational infrastructure of the campaign. Their investigation revealed that the malware employs a methodical approach to exploitation. Before launching the full attack, PCPcat first sends a simple command to potential targets to ascertain their vulnerability status. This makes the attack more efficient and less likely to be detected by rudimentary security measures.
Once a vulnerable server is identified, the malware proceeds to extract sensitive information. This includes environment files, cloud credentials, SSH keys, and command history logs. The stolen data is then transmitted back to the control server via unauthenticated HTTP requests, a method designed to minimize suspicion. The efficiency of this data exfiltration further contributes to the campaign’s success rate.
Following the credential theft, PCPcat attempts to establish long-term access to the compromised systems. It downloads and installs a script that sets up GOST proxy software and FRP reverse tunneling tools. These tools create covert communication channels, enabling attackers to maintain persistence even if the initial exploited vulnerability is patched. The malware also focuses on ensuring its presence survives security remediation efforts by spreading its installations across multiple locations.
Detailed Exploit Process and Data Theft
The attack’s core mechanism involves sending a specially crafted JSON payload to vulnerable Next.js servers. This payload manipulates the JavaScript prototype chain, a technique known as prototype pollution. By altering the prototype chain, the malware can inject malicious commands into the server’s child process execution functions. The structure of this payload is designed to trigger specific actions within the Next.js environment.
As detailed by security researchers, the payload structure resembles the following:
payload = {
“then”: “$1:__proto__:then”,
“status”: “resolved_model”,
“_response”: {
“_prefix”: “var res=process.mainModule.require(‘child_process’)
.execSync(‘COMMAND_HERE’).toString();”
}
}
This specific payload structure effectively forces the server to execute any command specified by the attacker in place of ‘COMMAND_HERE’. The results of these executed commands are then returned to the malware through a specially formatted redirect header. This allows for the discreet extraction of data, including valuable environment variables and credentials, without raising immediate alarms.
The systematic search for critical files includes specifically targeting the ‘.aws’ folder for AWS credentials, Docker configuration files, Git credentials, and bash history files that often contain recently executed sensitive commands. To ensure continued access, PCPcat deploys multiple system services designed to automatically restart if stopped or if the server reboots. These services keep the proxy and scanning tools running, integrating the compromised server into the attacker’s botnet and facilitating further attacks.
Detecting and Mitigating PCPcat Infections
Network administrators can detect ongoing PCPcat activity by meticulously monitoring network traffic. Key indicators include connections to the command server IP address 67.217.57.240 on ports 666, 888, and 5656. Additionally, identifying systemd services with names containing “pcpcat” can signal a compromise. Unusual outbound connections that carry JSON data, particularly those containing environment variables or sensitive credentials, warrant immediate investigation.
The rapid proliferation of PCPcat highlights the ongoing threat posed by sophisticated malware exploiting vulnerabilities in widely used web development frameworks. As attackers continually refine their methods, developers and system administrators must prioritize regular security audits, timely patching of known vulnerabilities, and robust intrusion detection systems to protect their infrastructure from such pervasive threats like the PCPcat campaign.