BZhKQghYp QdhEb

Bissa Scanner: AI-Driven Mass Exploitation of React2Shell (CVE-2025-55182) Unveiled

A highly structured, industrial-scale exploitation campaign is currently targeting internet-facing infrastructure by weaponizing React2Shell (CVE-2025-55182). Unlike traditional “smash-and-grab” attacks, this operation leverages a sophisticated modular framework known as the Bissa scanner, which integrates Large Language Models (LLMs) and Telegram-based Command and Control (C2) to orchestrate mass exploitation and high-fidelity data exfiltration.

Forensic investigations into an exposed Bissa command server revealed a professionalized ecosystem designed not just for data dumping, but for automated validation, staging, and intelligence-driven prioritization. Evidence suggests over 900 successful compromises, indicating a terrifyingly efficient pipeline from initial scan to verified breach.

The Engine: CVE-2025-55182 (React2Shell)

At the core of this campaign lies CVE-2025-55182, a critical Pre-Authentication Remote Code Execution (RCE) vulnerability within React Server Components and Next.js environments. Boasting a CVSS score of 10.0, the flaw allows an unauthenticated attacker to achieve full code execution via a single, crafted HTTP request. The Bissa scanner utilizes a dedicated module to probe millions of targets, automatically confirming successful exploitation to ensure the operator only spends time on “confirmed hits.”

AI-Assisted Exploitation & Orchestration

The Bissa platform represents a paradigm shift in cybercrime, where human operators use AI to augment the speed and complexity of their workflows. The exposed infrastructure contained over 13,000 files, revealing a deeply integrated use of Claude Code and OpenClaw.

Rather than simply running scripts, the operator utilized these AI tools for:

  • Code Refinement: Using Claude to debug “lease flows” and optimize scanner performance.
  • Component Reconstruction: Analyzing scanner logic to rebuild and modularize acquisition engines.
  • Automated Triage: Leveraging a local AI-control surface (via a WebSocket gateway and model pool including claude-sonnet-4-6) to process findings.
Workflow (Source : DFIR).
Automated Exploitation Workflow (Source: DFIR).

Precision Secret Harvesting & Exfiltration

The exploitation logic is heavily tuned for Secret Harvesting. The Bissa scanner doesn’t just look for files; it hunts for the “keys to the kingdom”—specifically focusing on .env files, cloud metadata service (IMDS) credentials, Kubernetes service accounts, and local database stores.

The scale of data exfiltration is immense. Analyzing Filebase S3-compatible storage buckets used for off-box archiving, analysts identified:

  • 400+ env-batch ZIP archives.
  • 30,000+ distinct .env filenames.
  • 65,000+ unique file entries harvested within a mere 11-day window.

The stolen credentials span the entire modern SaaS ecosystem, including high-value targets like Anthropic, AWS, Azure, Stripe, OpenAI, and GitHub. This provides the attacker with immediate lateral movement capabilities into cloud control planes and financial systems.

Unique credentials recovered (Source : DFIR).
Diversity of Recovered Credentials (Source: DFIR).

Telegram as a Triage and C2 Interface

The operation’s “human element” was unmasked via its Telegram-based notification layer. The Bissa scanner employs a custom bot, @bissapwned_bot, to push real-time alerts to a single operator (identified by the handle @BonJoviGoesHard).

Each Telegram alert is a condensed intelligence report. Instead of a raw log, the bot sends emoji-delimited lines summarizing:

  1. Victim identity and runtime environment.
  2. Privilege level achieved.
  3. Cloud posture and immediately accessible secrets.

This allows the operator to perform high-speed triage of hundreds of compromises directly from a mobile device, prioritizing victims based on financial or data value (e.g., targeting Oracle Fusion exports or payroll/HRIS data).

Telegram alerting & command channel (Source : DFIR).
Telegram Alerting Interface (Source: DFIR).

Data Exfiltration via S3 (Source : DFIR).
Exfiltration Pipeline to Filebase S3 (Source: DFIR).

Defensive Mandates

The modularity and AI-acceleration of the Bissa campaign require a corresponding shift in defensive posture. Organizations must move beyond simple patching to a more resilient architecture:

  • Immediate Patch Management: Prioritize all Next.js and React Server Component stacks for CVE-2025-55182.
  • Secret Management: Transition all production secrets from .env files to managed secret stores (e.g., AWS Secrets Manager, HashiCorp Vault).
  • Egress Filtering: Implement strict monitoring and filtering for egress traffic to known cloud storage (S3) and messaging (Telegram) APIs.
  • Identity Hygiene: Enforce rigorous RBAC and rotate all service account keys and cloud credentials immediately following any detected anomaly.

Related Articles

Back to top button