Cybercriminals Exploit Telegram Bots to Orchestrate Over 900 React2Shell Attacks
A recent investigation has uncovered a sophisticated cyberattack campaign in which threat actors utilized automated tools, artificial intelligence, and Telegram bots to infiltrate more than 900 organizations globally. Central to this operation was the Bissa scanner, a tool designed to exploit a critical vulnerability in Next.js, identified as CVE-2025-55182, commonly referred to as React2Shell. This flaw enabled attackers to access sensitive environment files (.env) on web servers, which often contain credentials, API keys, and access tokens.
The attackers employed a systematic approach to identify, exploit, and prioritize targets based on the value of the extracted data. Industries such as finance, cryptocurrency, and retail were particularly affected. The campaign’s scale and organization were revealed through an exposed server containing over 13,000 files across more than 150 directories. This server housed scripts for exploitation, data staging, credential harvesting, and access validation, indicating a highly automated and efficient operation.
A notable aspect of this campaign was the use of Telegram for real-time notifications. The Bissa scanner’s scripts were integrated with a Telegram bot named @bissapwned_bot. Upon each successful React2Shell exploit, the bot sent structured alerts to the attacker’s private Telegram chat. These alerts included detailed information about the compromised entity, such as identity, cloud infrastructure, privilege levels, and available secrets, allowing the attacker to swiftly assess and act upon each breach.
The volume of credentials obtained was substantial. The attackers amassed keys and tokens for various services, including AI providers like Anthropic and OpenAI, cloud platforms such as AWS and Azure, payment systems like Stripe and PayPal, and databases including MongoDB and Supabase. Between April 10 and April 21, 2026, over 65,000 archived files were uploaded to a cloud storage bucket named bissapromax, demonstrating the campaign’s extensive reach and automation.
The integration of Telegram bots for real-time monitoring and management underscores the evolving tactics of cybercriminals. By leveraging widely used messaging platforms, attackers can efficiently coordinate and execute large-scale operations while maintaining anonymity. This development highlights the need for organizations to remain vigilant and adopt comprehensive security measures to protect against such sophisticated threats.
