AI-Generated Malware Exploits "React2Shell" in Low-Skill Cyberattack Campaign Darktrace’s CloudyPots honeypot network recently uncovered an active malware campaign leveraging AI-generated tools to exploit the React2Shell vulnerability, marking a concerning evolution in cybercrime tactics. The attack, detected in a misconfigured Docker environment, demonstrates how large language models (LLMs) are lowering the barrier for threat actors to deploy sophisticated exploits with minimal technical expertise. The intrusion began when attackers targeted an exposed Docker daemon a common cloud misconfiguration via its API. The threat actor deployed a container named "python-metrics-collector" to blend in with legitimate services, then installed tools like curl, wget, and python3 to fetch payloads. The attack unfolded in two stages: 1. Dependency Retrieval: A Pastebin URL delivered a list of required Python packages. 2. Payload Execution: A Python script, hosted on a GitHub Gist under the banned user "hackedyoulol", was executed after redirecting from smplu[.]link. Analysis revealed the script was likely AI-generated, featuring verbose comments and an "educational" disclaimer a tactic to bypass LLM safety filters. Tools like GPTZero confirmed 76% of the code was machine-written, with a clean, structured design that exploited React2Shell by forcing exceptions to expose command output. Despite its advanced delivery, the campaign’s goal was simple: cryptocurrency mining. The script deployed XMRig (v6.21.0) to mine Monero (XMR) via the supportxmr pool. While the financial gain was minimal 0.015 XMR (~£5) from 91 infected hosts the operational impact was significant: a low-skilled attacker compromised nearly 100 systems using AI-generated tools. Unlike typical Docker threats, the malware lacked self-propagation capabilities, relying instead on a centralized "spreader server" linked to a residential IP (49[.]36.33.11) in India. This suggests manual or scripted management of the campaign. The incident underscores a critical shift in cyber threats, where AI-driven "vibecoding" enables rapid, custom malware development. For defenders, this highlights the need for behavioral detection and proactive patching, as static signatures may struggle against the endless variations LLMs can produce. Indicators of Compromise (IoCs): - Spreader IP: 49[.]36.33.11 - Malware host: smplu[.]link - Hashes: - 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b - d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d

Hackers are increasingly targeting unprotected 'internet of things' devices such as air condition systems and CCTV to get into corporate networks. A casino was hacked through the thermometer in its lobby aquarium. It expands the attack surface and most of this isn't covered by traditional defenses.