Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
T3MP3ST Security Framework Uses AI to Automate 0-Day Vulnerability Discovery
July 5, 2026
Flipper Zero Firmware Updates Enhance Security, Introduce Community Guidelines
July 5, 2026
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Home/Threats/Hackers Exploit Critical React2Shell Vulnerability via Telegram Bots
Threats

Hackers Exploit Critical React2Shell Vulnerability via Telegram Bots

Key Takeaways A single threat actor compromised over 900 organizations globally by exploiting the critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications. The attacker...

Sarah simpson
Sarah simpson
April 24, 2026 4 Min Read
51 0

Key Takeaways

  • A single threat actor compromised over 900 organizations globally by exploiting the critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications.
  • The attacker utilized an advanced setup involving automated tools, AI assistance (Claude Code, OpenClaw), and Telegram bots for real-time exploit notifications and credential harvesting.
  • The campaign, identified by The DFIR Report, focused on extracting sensitive environment variables (.env files) containing API keys, passwords, and access tokens from affected systems.
  • Financial, cryptocurrency, and retail sectors were heavily targeted, with tens of thousands of sensitive credentials exfiltrated and stored in cloud buckets.
  • Organizations must prioritize patching, implement robust secret management, and enforce strict network egress controls to mitigate similar threats.

Sophisticated Threat Actor Leverages React2Shell Vulnerability, Telegram Bots to Compromise 900+ Companies

A recently exposed server has unveiled the operational intricacies of a single threat actor responsible for breaching over 900 companies worldwide. This sophisticated campaign, detailed by researchers at The DFIR Report, combined automated scanning, AI-driven assistance, and real-time alerts via Telegram bots to systematically exploit a critical Next.js vulnerability.

Table Of Content

  • Key Takeaways
  • Sophisticated Threat Actor Leverages React2Shell Vulnerability, Telegram Bots to Compromise 900+ Companies
  • Uncovering the Attack Infrastructure
  • Telegram Bots: The Attacker’s Real-Time Command Center
  • Operational Sophistication and Longevity
  • What You Should Do

The core of the attack leveraged a severe flaw in Next.js, identified as CVE-2025-55182 and dubbed “React2Shell” by security researchers. This vulnerability enabled the attacker to target millions of internet-facing web servers, specifically to exfiltrate sensitive environment (.env) files. These files frequently house critical information such as passwords, API keys, and access tokens, making their compromise highly damaging.

Far from indiscriminate scanning, the threat actor implemented a meticulously structured workflow. This process involved identifying vulnerable targets, exploiting the React2Shell flaw, and then ranking victims based on the potential value of the stolen data. Sectors with high-value digital assets, including financial institutions, cryptocurrency platforms, and retail companies, bore the brunt of these targeted attacks.

Uncovering the Attack Infrastructure

Analysts from The DFIR Report discovered the full scope of this campaign after encountering an exposed server containing over 13,000 files across more than 150 directories. This was no mere data dump; the server revealed a highly organized operation, complete with scripts dedicated to exploitation, victim data staging, credential harvesting, and validating access, all managed from a central location.

Further analysis of the exposed host indicated the attacker’s use of advanced tools, including Claude Code and OpenClaw, to facilitate troubleshooting and streamline the workflow. This integration of AI-assisted capabilities provided an unusual level of automation and efficiency, distinguishing this campaign from typical mass exploitation efforts.

Telegram Bots: The Attacker’s Real-Time Command Center

A particularly revealing aspect of the operation was the attacker’s ingenious use of Telegram as a live notification system. The “Bissa scanner” framework, a key component of the attack, contained hardcoded runner scripts linked to a Telegram bot token for @bissapwned_bot.

Upon each successful React2Shell exploit, @bissapwned_bot would send an immediate, structured alert directly to the attacker’s private Telegram chat. The operator, publicly identified by the Telegram username @BonJoviGoesHard and display name “Dr. Tube,” received concise, single-line messages. Each alert contained crucial details about the victim, including their identity, cloud posture, privilege levels, and discovered secrets. This real-time intelligence enabled the attacker to triage hundreds of breaches efficiently, directly from a messaging application.

The volume of exfiltrated credentials was substantial. Across tens of thousands of .env files, the attacker amassed keys and tokens for a wide array of services. These included AI providers like Anthropic and OpenAI, major cloud platforms such as AWS and Azure, payment gateways including Stripe and PayPal, and databases like MongoDB and Supabase. Between April 10 and April 21, 2026, the operator uploaded over 65,000 archived file entries to a cloud storage bucket named “bissapromax” via S3-compatible Filebase, highlighting the continuous and automated nature of the data collection pipeline.

Operational Sophistication and Longevity

The Telegram alerting system demonstrated a high degree of operational maturity. Each confirmation message from @bissapwned_bot featured a structured header with a message ID, date, sender username, and bot user ID. The message body, formatted as a single line with emoji-delimited fields, provided an instant, digestible summary of each victim, eliminating the need for manual server access. This design choice underscored the attacker’s priority for speed, clarity, and minimal effort in reviewing results.

The DFIR Report analysts confirmed the existence of at least two active bots: @bissapwned_bot for exploit alerts and @bissa_scan_bot, integrated into the AI-control subsystem powered by OpenClaw. Metadata lookups against the Telegram API verified both bots were operational at the time of discovery. The destination chat for the alerts resolved to a private conversation with a single human operator, confirming a solo, centrally managed campaign. This significant infrastructure investment suggests a long-running operation, with storage phase names tracing back to September 2025.

AI Enables Workflow (Source - The DFIR Report)
AI Enables Workflow (Source – The DFIR Report)

The illustration above visually represents how @bissapwned_bot delivered real-time exploit notifications directly to the operator’s Telegram chat, detailing each confirmed CVE-2025-55182 compromise.

What You Should Do

  • Aggressive Patching and Monitoring: Ensure all Next.js deployments and other web applications are promptly patched for known vulnerabilities, especially critical CVEs like CVE-2025-55182. Maintain subscriptions to vendor advisories to stay informed of new threats.
  • Secure Secret Management: Migrate all production credentials, API keys, and access tokens out of .env files. Instead, utilize dedicated secret management solutions to inject these sensitive values at runtime. Implement short lifetimes and narrowly scoped permissions for all credentials.
  • Control Outbound Network Traffic: Implement strict egress filtering and control outbound traffic from application tiers through a logged proxy. This measure can prevent compromised hosts from silently communicating with attacker infrastructure and exfiltrating data.
  • Regular Credential Rotation: Establish and enforce a regular schedule for rotating all sensitive credentials.
  • Scan for Embedded Secrets: Conduct frequent scans of source code and built artifacts to detect any inadvertently embedded secrets.
  • Deploy Canary Tokens: Integrate canary tokens into sensitive areas of your infrastructure. These tokens are designed to trigger immediate alerts upon unauthorized access, providing early warning of a potential breach.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitHackerPatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Ransomware Hackers Create Custom Tool to Steal Sensitive Data

Next Post

APT31 Abuses Compromised Routers to Conceal China-Linked Cyber Operations

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us