A sophisticated cybercrime operation has been uncovered where attackers leveraged automated tools, including AI assistance and Telegram bots, to hack into over 900 companies globally. The campaign, centered around a tool named “Bissa scanner,” systematically targeted internet-facing web applications to harvest sensitive credentials and alert the perpetrators in real-time. This discovery highlights an emerging trend in large-scale cyberattacks, where efficiency and automation are paramount for threat actors.
The core of this extensive operation exploited a critical vulnerability in Next.js, identified as CVE-2025-55182, and colloquially referred to as React2Shell. This flaw allowed attackers to target millions of web servers and extract valuable environment files (.env), which commonly contain sensitive information such as passwords, API keys, and access tokens. The threat actor meticulously structured their approach, moving beyond random scanning to systematically find, exploit, and prioritize victims based on the perceived value of their stolen data. Financial institutions, cryptocurrency exchanges, and retail businesses were among the most significantly impacted sectors.
The Sophistication of the Bissa Scanner Operation
The full scope of this campaign came to light following the discovery of an exposed server by analysts at The DFIR Report. This server contained over 13,000 files across more than 150 directories, revealing a highly organized and professional operation. The contents demonstrated a comprehensive workflow, including scripts for exploitation, staging victim data, harvesting credentials, and validating access. This level of integration suggests an attacker with significant technical expertise and a clear strategic objective.
Further analysis of the exposed host indicated the operator employed AI tools, specifically Claude Code and a utility called OpenClaw, for troubleshooting and workflow management. The integration of these technologies signifies a notable advancement in the automation and efficiency of mass exploitation campaigns. This blend of advanced tooling and a structured methodology allowed the threat actor to scale their operations beyond what is typically seen in similar incidents.
Real-Time Alerts via Telegram Bots
A particularly noteworthy aspect of this operation was the use of Telegram as a live notification system for confirmed exploits. Runner scripts within the Bissa scanner framework were hardcoded with a Telegram bot token. This token was linked to a bot named ‘@bissapwned_bot,’ which automatically sent structured alerts directly to the attacker’s private Telegram chat upon each successful React2Shell exploit. The operator, identifiable by the Telegram username ‘@BonJoviGoesHard’ and display name “Dr. Tube,” received single-line updates for each confirmed breach, detailing the victim’s identity, cloud posture, privilege level, and available secrets.
This near real-time notification system enabled the attacker to efficiently triage hundreds of breaches directly from a messaging application, a significant departure from traditional methods that often involve manual logging and analysis. The volume of leaked credentials was substantial, with keys and tokens for major AI providers like Anthropic and OpenAI, cloud platforms such as AWS and Azure, payment systems like Stripe and PayPal, and databases including MongoDB and Supabase being collected from tens of thousands of .env files.
How the Telegram Bot Notification System Worked
The Telegram alerting mechanism represented one of the most revealing technical components of the campaign. Each alert message sent by ‘@bissapwned_bot’ included a structured header with a message ID, date, sender username, and bot user ID. The body of the message was presented in a single line, using emoji-delimited fields to provide the attacker with an immediate summary of each victim without requiring manual server access. This design showcases the operator’s emphasis on speed, clarity, and minimizing effort in reviewing exploitation results.
The DFIR Report analysts identified that the operator managed at least two distinct bots: ‘@bissapwned_bot’ for scanner alerts and ‘@bissa_scan_bot,’ which was part of the AI-controlled subsystem powered by OpenClaw. Metadata analysis confirmed both bots were active at the time of discovery. The destination chat for these bots was identified as a private conversation between the bot and a single human operator, strongly indicating a solo-driven, centrally managed campaign. The infrastructure investment and the presence of storage phase names dating back to September 2025 suggest this type of operation has been ongoing for a considerable period.
Between April 10 and April 21, 2026, the operator uploaded over 65,000 archived file entries to a cloud storage bucket named “bissapromax” using Filebase, an S3-compatible storage service. This activity further underscores the highly automated and continuous nature of the data collection pipeline employed in this campaign.
The DFIR Report researchers have outlined several critical defensive measures that organizations should implement immediately. Firstly, aggressive patching and continuous monitoring of vendor advisories are crucial to prevent exploitation of critical CVEs. Secondly, migrating production credentials from .env files to dedicated secret managers, with runtime injection, short lifespans, and restricted permissions, can significantly enhance security. Thirdly, controlling outbound traffic from application tiers through a logged proxy can prevent compromised hosts from communicating with attacker infrastructure without detection.
Finally, organizations are advised to rotate credentials regularly, scan code and build artifacts for embedded secrets, and deploy canary tokens that trigger alerts upon unauthorized access. These layered security strategies aim to mitigate the risks posed by sophisticated exploitation techniques like those demonstrated by the Bissa scanner operation and the use of Telegram bots for operational efficiency.