Large-scale Exploitation Operation Discovered via Exposed Server

A Detailed Analysis of an Advanced Hacking Activity

Recently discovered exposed server reveals a wide-scale multi-victim exploitation operation, providing unprecedented visibility into a large-scale hacking activity. Artifacts found on the server indicate that Claude Code and OpenClaw were used as operator aids, facilitating the exploitation activity and workflow orchestration.

The React2Shell Operation

Security experts have identified a large-scale React2Shell operation (CVE-2025-55182) that scanned millions of targets and confirmed over 900 successful exploits. Server logs showed an automated pipeline for exploitation, victim assessment, alerting, and secret collection. The threat actor opportunistically exploited victims at scale, but post-compromise activity was not indiscriminate.

The recovered artifacts show that the operator triaged access, validated stolen data, and focused deeper collection and follow-on activities on organizations that met a clear value threshold, particularly in the financial, cryptocurrency, and retail sectors.

Secret Collection

Secret collection was a central part of the operation, with tens of thousands of .env files providing credentials related to AI platforms, cloud services, payment platforms, messaging systems, and databases. The artifacts suggest that the operator also validated and prioritized the most useful accesses.

Telegram-Based Alerting Infrastructure

The exposed server also revealed a Telegram-based alerting infrastructure connected to the Bissa scanner ecosystem, providing rare visibility into the operator's notification workflow and public handles. The operator is identifiable with the Telegram username @BonJoviGoesHard and the display name "Dr. Tube".

The Victims

Among the identified victims, one, referred to as Victim A, is a mid-sized tax resolution and financial consulting firm. The recovered data includes Plaid tokens, data linked to bank accounts, IRS transcription materials, ACH-related records, Twilio calls, Salesforce contacts, and case data containing Social Security numbers and dates of birth.

Another data cluster is attributable to Victim B, a large digital assets, payments, and corporate finance company. The data includes authenticated Oracle Fusion REST export activity related to vendors, invoices, purchase orders, payment processes, and bank account data.

A separate cluster attributable to Victim C, a mid-sized stablecoin payments, payroll, and HR platform, contains materials related to payroll, settlements, Fireblocks integration, and HRIS.

The Capabilities of the Bissa Scanner

The Bissa Scanner project showed the operator using Claude Code to read the scanner code, understand the flow of location and recognition, troubleshoot, review reference test results, and document the project sufficiently to reconstruct parts of the acquisition layer.

The project outputs include Chain-of-Thought (CoT) prompts showing Claude evaluating and planning improvements for the scanner. OpenClaw logs show a local AI control surface on the same machine, including a WebSocket gateway, browser control, model pool/claude-sonnet-4-6 pool setup, and provider handle connected to Telegram @bissascanbot.

The Bissa Scanner infrastructure is a mature and modular operation designed to exploit targets at scale, collect and validate secrets, and use an AI-enabled workflow to enhance collection and triage efficiency. The evidence suggests a disciplined, long-term campaign with high success rates. The operator built repeatable workflows for exploitation, validation, alerting, and prioritization, demonstrating not only technical prowess but also a clear understanding of how to turn Internet-scale scanning into reliable, high-value compromises.

Key Takeaways

  • An exposed server used for multi-victim exploitation, staging, review, and validation was discovered.
  • Claude Code and OpenClaw were used as operator aids, facilitating the exploitation activity and workflow orchestration.
  • A large-scale React2Shell operation (CVE-2025-55182) was identified that scanned millions of targets and confirmed over 900 successful exploits.
  • The threat actor opportunistically exploited victims at scale, but post-compromise activity was not indiscriminate.
  • Secret collection was a central part of the operation, with tens of thousands of .env files providing credentials related to various platforms.
  • The exposed server also revealed a Telegram-based alerting infrastructure connected to the Bissa scanner ecosystem.

Useful Links

Context and Implications

The discovery of this exposed server highlights the importance of continuous vigilance and proactive vulnerability management. Organizations must adopt robust measures to protect their systems from attacks based on known vulnerabilities, such as CVE-2025-55182. This includes regular patching, implementing intrusion detection solutions, and conducting periodic security audits.

Additionally, the modular nature of the Bissa Scanner infrastructure suggests that threat actors are becoming increasingly skilled at building and managing complex operations. Organizations must be prepared to defend against multiple, coordinated attacks that can exploit different vulnerabilities simultaneously.

Mitigation Strategies

To counter threats of this nature, organizations should adopt a multi-phase approach to cybersecurity. This includes:

  • Vulnerability Identification and Management: Use vulnerability scanning tools to identify and address weaknesses in systems.
  • Continuous Monitoring: Implement advanced monitoring solutions to detect suspicious activity and respond quickly to incidents.
  • Training and Awareness: Train employees on best cybersecurity practices to prevent attacks based on human error.
  • Collaboration with Experts: Collaborate with cybersecurity experts to share information and develop effective defense strategies.

Future Perspectives

The growing integration of artificial intelligence in hacking operations represents a significant challenge for the cybersecurity sector. As threat actors continue to leverage advanced tools to optimize their campaigns, organizations must adapt quickly to maintain a defensive advantage.

Investing in emerging technologies, such as defensive AI and incident response automation, will be crucial to addressing future threats. Additionally, collaboration between the public and private sectors will be essential to developing comprehensive solutions and sharing critical information in real-time.

Final Conclusions

The Bissa Scanner infrastructure represents a cutting-edge example of how threat actors are evolving their techniques to exploit vulnerabilities at scale. The discovery of this exposed server provides valuable insights into the technical capabilities and strategies of operators, underscoring the urgency of adopting advanced security measures.

As the threat landscape continues to evolve, organizations must remain vigilant and proactive in protecting their systems and data. Only through an integrated and collaborative approach will it be possible to effectively address the cybersecurity challenges of the future.

Editorial Note and Disclaimer

The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.

GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not perform real-time information activities.

The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the misuse of the information published.

In the Crypto sector, every investment involves risks: the reader is invited to always inform themselves independently before making any decision.