Security researchers have uncovered an exposed server detailing a sophisticated mass exploitation operation powered by the "Bissa scanner." The campaign uniquely integrated AI-assisted workflows using Claude Code and OpenClaw for orchestration, enabling the operator to troubleshoot and refine a modular exploitation pipeline. A central component was the exploitation of React2Shell (CVE-2025-55182), which allowed the actor to scan millions of targets and confirm over 900 successful compromises.
The primary objective of the operation was credential harvesting, specifically targeting .env files to acquire keys for AI platforms, cloud providers, and payment systems. The attacker, linked to the Telegram identity "Dr. Tube," utilized automated bots for real-time alerting and triage. Post-compromise activity was highly selective, prioritizing high-value victims in the financial and cryptocurrency sectors for deeper data exfiltration via S3-compatible storage.
Top comments (0)