AI in the Driver’s Seat: How the ‘Bissa’ Scanner Hijacked 900+ Firms in Weeks

Researchers from The DFIR Report recently discovered an exposed command-and-control server that provided a rare look into a massive, AI-assisted exploitation campaign. The operation, led by a single human operator known as “Dr. Tube” (or @BonJoviGoesHard on Telegram), utilized a modular platform called the Bissa scanner to exploit over 900 companies in just a few weeks.

What makes this campaign unique is the integration of advanced AI tools directly into the hacker’s workflow. The operator used Claude Code and OpenClaw to orchestrate attacks, troubleshoot code, and triage the massive influx of stolen data.

The server contained detailed transcripts showing the operator using AI to refine their malicious codebase. Specifically, Dr. Tube used Claude to understand complex exploit modules, troubleshoot misses in the scanning pipeline, and even plan improvements for the scanner.

By using AI-assisted orchestration, the attacker was able to move with unprecedented efficiency:

“This AI-assisted workflow resulted in the modular platform Bissa scanner enabling a broader, structured process for exploiting targets, reviewing results, validating access, and prioritizing the most valuable victim environments.”

At the core of the operation was the large-scale exploitation of CVE-2025-55182, a vulnerability known as React2Shell. The Bissa scanner was capable of scanning millions of internet-facing targets to identify vulnerable systems.

Once a target was compromised, the scanner automatically exfiltrated high-value secrets, particularly .env files. These files often contain the keys to a company’s kingdom, including credentials for AI platforms, cloud services, and payment processors.

The volume of stolen data was huge. Researchers recovered over 30,000 distinct .env files and tens of thousands of unique credentials. While the exploitation was opportunistic, the follow-on activity was highly targeted toward the financial, cryptocurrency, and retail sectors.

Unique Credentials Recovered by Service:

• Stripe: 680+ (the single most validated service)
• AWS: 250+
• OpenAI: 240+
• Google: 240+
• Anthropic: 170+

The operation featured a sophisticated, real-time alerting system built on Telegram. A dedicated bot, @bissapwned_bot, delivered one-line “heartbeats” for every successful compromise directly to the operator.

These emoji-delimited alerts allowed Dr. Tube to triage hundreds of victims at a glance:

“Each line distilled the victim’s identity, runtime context, privilege level, cloud posture, and recoverable secret surface into a single at-a-glance record, allowing the operator to triage hundreds of exploitation events directly from Telegram.”

The Bissa scanner represents a “mature, modular operation” that effectively converts internet-scale scanning into high-value compromises. By automating the discovery and validation of secrets, the attacker can quickly move from initial entry to deep post-compromise collection—stealing everything from financial records and payroll data to CRM databases and sensitive internal communications.