Talos has exposed UAT-10608, a major automated credential-harvesting campaign operated via the NEXUS Listener modular framework. Unlike targeted phishing tactics, this operation relentlessly targets a wide range of web applications, from leading enterprise portals to niche SaaS tools, using automated logins to amass credentials en masse.
NEXUS Listener’s adaptability allows attackers to swiftly adjust methods and plugins, compounding the threat. Conventional defences such as basic rate limiting now prove insufficient. Professionals must prioritise MFA, robust credential stuffing protections and vigilant monitoring as essentials. Password hygiene, regular credential rotation, and proactive leak detection are critical. In today’s environment, all public-facing web endpoints require constant defence, highlighting the urgent need for layered, agile security strategies.
