Executive Summary
The Bissa Scanner platform demonstrates a highly organized, AI‑driven campaign that leveraged mass exploitation, credential harvesting, and post‑compromise triage to target high‑value organizations across finance, cryptocurrency, and retail sectors. The operation exploited publicly known vulnerabilities, most notably CVE-2025-55182 (React2Shell) and a WordPress command‑injection flaw, to enumerate environment files, cloud metadata, and other secrets from exposed web servers.
Technical Overview
The exposed server contained over 13,000 files across 150 directories, including:
- Exploit modules and payload scripts
- Target acquisition feeds (ZIP archives hosted at hxxps://denemekulubum[.]com[.]tr/acquirer/)
- Credential validation and post‑compromise triage logs
- Telegram notification artifacts linked to operator bot
@BonJoviGoesHard
Key components:
- Claude Code – used to read, troubleshoot, and optimize the scanner codebase.
- OpenClaw – local AI‑control surface that orchestrated exploit execution and monitored results.
- React2Shell (CVE-2025-55182) – the core exploitation engine that scanned millions of internet‑facing targets, yielding 900+ confirmed compromises.
- Telegram C2 – alerts were sent via
@bissapwned_botto a private chat with operator@BonJoviGoesHard, providing real‑time triage of hits.
Post‑exploitation, the operator harvested tens of thousands of .env files and other secrets, uploading them in ZIP archives to a Filebase S3 bucket:
- Bucket:
bissapromax(hxxps://s3.filebase[.]com/bissapromax/archives/) - Artifacts: 400+ ZIPs, 30,000+ distinct filenames, 65,000+ entries across 10‑21 Apr 2026.
Victim Impact
Three victim categories were identified with data beyond credentials:
- Financial Advisory Firm – exposed IRS transcripts, ACH records, and Twilio call logs.
- Digital‑Asset & Payments Company – Oracle Fusion REST exports containing supplier and payment data.
- Payroll & HR Platform – payroll, settlement, and Fireblocks integration data.
Defensive Recommendations
- Patch Aggressively – maintain a tight update cadence for all internet‑facing software.
- Manage Secrets Properly – move credentials out of
.envfiles; use secret managers with short lifetimes. - Reduce Blast Radius – employ workload identities, harden cloud metadata, disable unused service‑account tokens.
- Control Egress – route outbound traffic via a logged proxy to prevent silent data exfiltration.
- Rotate & Detect – schedule credential rotation, scan code for embedded secrets, deploy canary tokens.
- Practice Incident Response – run tabletop exercises for rapid credential rotation and vendor coordination.
Conclusion
The Bissa Scanner operation exemplifies how AI can streamline large‑scale exploitation and credential harvesting. Organizations that fail to patch vulnerabilities, protect secrets, or monitor outbound traffic risk being part of a high‑volume, automated attack that can compromise critical systems and data.
References
Full report: hxxps://thedfirreport[.]com/2026/04/22/bissa-scanner-exposed-ai-assisted-mass-exploitation-and-credential-harvesting/

