Bissa Scanner

Bissa scanner is a mature, modular exploitation and collection operation centered on React2Shell (CVE-2025-55182). Recovered artifacts showed infrastructure used for multi-victim exploitation, staging, review, and validation at scale. The operation scanned millions of internet-facing targets, logged more than 900 confirmed compromises, harvested tens of thousands of .env files, and used AI-assisted tooling including Claude Code and OpenClaw to troubleshoot, orchestrate, and refine exploitation and triage workflows. The workflow validated access, scored victims, and focused deeper follow-on activity on higher-value organizations, especially in financial, cryptocurrency, and retail sectors. The React2Shell payload was intended to enumerate .env files, cloud metadata, Kubernetes service account context, local credential stores, database and Redis access, and cryptocurrency wallet material. Stolen secrets included credentials for AI providers, cloud platforms, payment systems, messaging services, databases, authentication platforms, and collaboration services. The operation also used S3-compatible Filebase to archive harvested victim .env files. Researchers also recovered a WordPress module targeting CVE-2025-9501 in W3 Total Cache, but found only version-check logic and no evidence of successful exploitation through that module. Telegram artifacts tied the operation to the public handle @BonJoviGoesHard, display name "Dr. Tube," and to bots including @bissapwned_bot and @bissa_scan_bot used for alerting and AI-control functions. No nation-state attribution was stated in the provided content. Known aliases directly provided in the content: bissa_scanner.