Threat actors tracked as UAT-10608 are conducting a large-scale automated credential harvesting operation against web applications. The campaign leverages NEXUS Listener, a tool designed to intercept and exfiltrate user credentials from web-based systems. Analysis reveals the operation targets multiple application types and industries, exploiting CVE-2025-55182 to establish persistence.