We discovered an exposed server that revealed a large-scale, AI-assisted exploitation and credential-harvesting operation built around the Bissa scanner and leveraging React2Shell (CVE-2025-55182) to scan millions of targets and confirm 900+ compromises. The operator used Claude Code and OpenClaw for workflow orchestration, Telegram bots for alerting, and S3-compatible Filebase buckets (bissapromax) to aggregate tens of thousands of harvested .env files and credentials. #React2Shell #BissaScanner
Keypoints
- The exposed server contained 13,000+ files across 150+ directories showing a structured, multi-victim exploitation and data-staging workflow rather than opportunistic storage.
- React2Shell (CVE-2025-55182) exploitation was central, with logs showing a pipeline that scanned millions of targets and recorded 900+ confirmed successful exploits.
- AI tooling (Claude Code and OpenClaw) was embedded in the operator workflow to read code, troubleshoot, triage hits, and plan scanner improvements, enabling automated hit scoring and prioritization.
- Secret harvesting prioritized .env files and yielded credentials across AI providers, cloud services, payments, messaging, databases, and crypto custody, with 30,000+ distinct .env filenames and 65,000+ archived entries.
- Exfiltration used S3-compatible Filebase buckets (notably bissapromax) to store batched env archives, and the scanner integrated alerting/command channels via Telegram bots tied to a single operator identity.
- Victim data included deep post-compromise collections (financial, payroll, HR, CRM, and bank/ACH data) for prioritized targets in finance, crypto, and retail, indicating targeted follow-on activity after triage.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used to gain initial access via known web application vulnerabilities, notably “React2Shell (CVE-2025-55182) was central to the operation” (‘React2Shell (CVE-2025-55182) was central to the operation.’)
- [T1190 ] Exploit Public-Facing Application – Additional module targeting WordPress W3 Total Cache (CVE-2025-9501) version-check logic recovered from the scanner (‘the scanner also includes a dedicated WordPress module targeting CVE-2025-9501’).
- [T1046 ] Network Service Discovery – Internet-scale scanning and target enumeration across millions of internet-facing targets to identify exploitable services (‘the workflow appeared capable of scanning millions of internet-facing targets’).
- [T1552.001 ] Credentials in Files – Harvested credentials from application configuration and environment files (.env) across thousands of victims (‘tens of thousands of .env files yielding credentials across AI, cloud, payments, messaging, and databases.’)
- [T1078 ] Valid Accounts – Operator validated and prioritized harvested credentials and access, using them to triage and focus deeper collection on high-value victims (‘artifacts show the operator triaged access, validated stolen data, and concentrated deeper collection … on organizations that met a clear value threshold’).
- [T1119 ] Automated Collection – Automated pipeline for exploitation, hit scoring, alerting, and secret harvesting supported by AI-assisted tooling to streamline mass collection (‘Logs showed an automated pipeline for exploitation, hit scoring, alerting, and secret harvesting.’)
- [T1567.001 ] Exfiltration to Cloud Storage – Collected env batches were uploaded to an S3-compatible Filebase bucket (bissapromax) as the off-box archive for harvested files (‘upload them to hxxps://s3.filebase[.]com in bucket bissapromax under the archives/ prefix.’)
- [T1102 ] Web Service – Use of Telegram-based alerting and command infrastructure as a C2/notification channel tied to bot accounts and a single operator identity (‘Telegram-based alerting and command infrastructure tied to the broader Bissa scanner ecosystem’).
Indicators of Compromise
- [Domain ] Acquirer and feed infrastructure – cs2.ip.thc.org (target ZIP feeds), denemekulubum[.]com[.]tr/acquirer, wiprz[.]com/acquirer (historical feed)
- [Cloud Storage / Bucket ] Exfiltration storage – Filebase buckets: bissapromax (active archive with recoverable content), bissa, bissa2 (historical) and related archives/ env-batch-*.zip objects
- [Filenames ] Harvested/staged files – env-batch-*.zip objects and 30,000+ distinct .env filenames collected and archived (65,000+ archived file entries overall)
- [CVE ] Exploited vulnerabilities – CVE-2025-55182 (React2Shell) and CVE-2025-9501 (W3 Total Cache module version check)
- [Telegram Handles / IDs ] Operator alerting and C2 – @bissapwned_bot (bot user ID 8798206332), @bissa_scan_bot, and operator @BonJoviGoesHard (user ID 1609309278) used for scanner notifications and AI-control alerts
- [Archive Objects ] Sample archived evidence – referenced “confirmed hits” file and staged victim bundles (e.g., Plaid tokens, IRS transcripts, Oracle Fusion exports) indicating victim-specific exfiltrated datasets