New data suggests a cyber espionage group is laying the groundwork for attacks against major industries.
The "React2Shell" vulnerability is already almost a few months old, but it's far from over. An unknown but possibly state-sponsored threat actor has been using a newly discovered, maturely named toolkit — "ILovePoop" — to probe tens of millions of Internet protocol (IP) addresses worldwide, looking for opportunities to exploit React2Shell. A report from WhoisXML API, shared with Dark Reading, suggests the threat actor might be out for big game: government, defense, finance, and industrial organizations, among others, around the world but particularly in the United States.
"What's been most striking over the past couple of months is how the threat landscape around this vulnerability has evolved in layers," says Anna Pham, senior hunt and response analyst at Huntress. "The initial wave was dominated by opportunistic, largely automated exploitation — spray-and-pray campaigns deploying cryptominers and botnet payloads. We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems."
Related:'God-Like' Attack Machines: AI Agents Ignore Security Policies
A few months later, the situation has yet to calm down, Pham says. "There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals. It has also been confirmed in ransomware campaigns," she says.
The big difference now is that the attacks have gotten more sophisticated, as the attackers have had more time to gameplan. "The post-exploitation tradecraft has gotten more sophisticated over time. We are seeing things like PeerBlight's use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns," Phams says.
Hackers Go Big Game Hunting
CVE-2025-55182, also known as React2Shell, was first disclosed publicly on Dec. 3, 2025. It's a remote code execution (RCE) vulnerability in React Server Components, which affects untold hundreds of thousands of websites. With no more than a single Web request — sometimes, with no authentication required — attackers can exploit React2Shell to take full control of vulnerable Web servers. That's why it earned a rare, maximum-severity 10 out of 10 in the Common Vulnerability Scoring System (CVSS).
Severe globe-spanning RCE vulnerabilities like React2Shell and Log4Shell offer immense opportunity for hackers. Organizations need to know about these vulnerabilities in order to patch them, so the information must be disclosed publicly. Still, many organizations will inevitably be slow to mitigate them, leaving a wide window for n-day attacks. Within hours of the first React2Shell disclosure, Chinese state-sponsored attackers began exploiting it in cloud and enterprise environments. Suspected state-sponsored actors from Iran and North Korea followed.
Related:Lessons From AI Hacking: Every Model, Every Layer Is Risky
... continue reading