A large-scale cyberattack campaign has revealed how modern attackers are combining automation, artificial intelligence, and messaging platforms to streamline their operations. At the center of this campaign is the exploitation of the React2Shell vulnerability, which allowed attackers to compromise hundreds of internet-facing systems with alarming efficiency.

The operation revolved around a tool known as the Bissa scanner, which was used to identify and exploit vulnerable targets at scale. Investigators uncovered an exposed server containing over 13,000 files, offering a rare glimpse into the inner workings of the attack. These files detailed everything from initial exploitation to credential harvesting and operational management, highlighting a highly structured and methodical approach.

What makes this campaign particularly striking is the integration of AI tools such as Claude Code and OpenClaw. These tools were used to refine attack scripts, troubleshoot issues, and optimize data collection, significantly reducing manual effort while increasing the scale and speed of the operation. This level of automation enabled attackers to successfully breach more than 900 organizations across multiple industries.

To manage this large-scale campaign, the attackers relied on Telegram. Hardcoded bots, including one identified as @bissapwned_bot, sent real-time alerts directly to the operator. These alerts contained detailed information about each compromised system, including stolen credentials and security posture, effectively turning Telegram into a live command dashboard for the attacker.

The data theft in this campaign went far beyond basic credentials. Attackers targeted high-value systems such as AI platforms, cloud environments, payment infrastructures, and enterprise databases. In many cases, they exfiltrated deeply sensitive business information, including payroll records, financial transactions, and personally identifiable data.

To store the massive volume of stolen data, the attackers used Filebase, an S3-compatible cloud storage service. Within just two weeks, more than 65,000 files were archived, demonstrating the scale and efficiency of the operation. By leveraging legitimate cloud infrastructure, attackers were able to blend malicious activity with normal traffic, making detection significantly more difficult.

This campaign underscores a growing shift in cybercrime, where attackers are building highly automated, AI-assisted ecosystems capable of scaling attacks globally. The combination of vulnerabilities like React2Shell, AI-driven tooling, and real-time monitoring via messaging platforms signals a new level of operational maturity in cyber threats.

For organizations, the lesson is clear: timely patching, stronger credential management, and tighter network controls are no longer optional. As attackers continue to innovate, defenses must evolve just as rapidly to prevent widespread compromise.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com