AI-Generated Malware Exploits "React2Shell" in Low-Skill Cyberattack Campaign
Darktrace’s CloudyPots honeypot network recently uncovered an active malware campaign leveraging AI-generated tools to exploit the React2Shell vulnerability, marking a concerning evolution in cybercrime tactics. The attack, detected in a misconfigured Docker environment, demonstrates how large language models (LLMs) are lowering the barrier for threat actors to deploy sophisticated exploits with minimal technical expertise.
The intrusion began when attackers targeted an exposed Docker daemon a common cloud misconfiguration via its API. The threat actor deployed a container named "python-metrics-collector" to blend in with legitimate services, then installed tools like curl, wget, and python3 to fetch payloads. The attack unfolded in two stages:
- Dependency Retrieval: A Pastebin URL delivered a list of required Python packages.
- Payload Execution: A Python script, hosted on a GitHub Gist under the banned user "hackedyoulol", was executed after redirecting from smplu[.]link.
Analysis revealed the script was likely AI-generated, featuring verbose comments and an "educational" disclaimer a tactic to bypass LLM safety filters. Tools like GPTZero confirmed 76% of the code was machine-written, with a clean, structured design that exploited React2Shell by forcing exceptions to expose command output.
Despite its advanced delivery, the campaign’s goal was simple: cryptocurrency mining. The script deployed XMRig (v6.21.0) to mine Monero (XMR) via the supportxmr pool. While the financial gain was minimal 0.015 XMR (~£5) from 91 infected hosts the operational impact was significant: a low-skilled attacker compromised nearly 100 systems using AI-generated tools.
Unlike typical Docker threats, the malware lacked self-propagation capabilities, relying instead on a centralized "spreader server" linked to a residential IP (49[.]36.33.11) in India. This suggests manual or scripted management of the campaign.
The incident underscores a critical shift in cyber threats, where AI-driven "vibecoding" enables rapid, custom malware development. For defenders, this highlights the need for behavioral detection and proactive patching, as static signatures may struggle against the endless variations LLMs can produce.
Indicators of Compromise (IoCs):
- Spreader IP: 49[.]36.33.11
- Malware host: smplu[.]link
- Hashes:
- 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b
- d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d
Source: https://cybersecuritynews.com/react2shell-vulnerability-ai-generated-malware/
Darktrace cybersecurity rating report: https://www.rankiteo.com/company/darktrace
Docker, Inc cybersecurity rating report: https://www.rankiteo.com/company/docker
"id": "DARDOC1770731539",
"linkid": "darktrace, docker",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '91 infected hosts (third-party '
'systems)',
'industry': 'Technology/Cybersecurity',
'name': 'Darktrace (honeypot network)',
'type': 'Cybersecurity Research'}],
'attack_vector': 'Exposed Docker API (misconfiguration)',
'description': 'Darktrace’s *CloudyPots* honeypot network uncovered an active '
'malware campaign leveraging AI-generated tools to exploit the '
'*React2Shell* vulnerability. The attack targeted a '
'misconfigured Docker environment, demonstrating how LLMs '
'lower the barrier for threat actors to deploy sophisticated '
'exploits with minimal technical expertise. The campaign '
'deployed cryptocurrency mining malware (XMRig) via an '
'AI-generated Python script, compromising nearly 100 systems.',
'impact': {'financial_loss': '0.015 XMR (~£5)',
'operational_impact': 'Significant (compromised systems used for '
'mining)',
'systems_affected': '91 infected hosts'},
'initial_access_broker': {'entry_point': 'Exposed Docker daemon API'},
'investigation_status': 'Completed (analysis published)',
'lessons_learned': "AI-driven 'vibecoding' enables rapid, custom malware "
'development, requiring behavioral detection and proactive '
'patching to counter endless variations.',
'motivation': 'Financial gain (cryptocurrency mining)',
'post_incident_analysis': {'corrective_actions': ['Enhance monitoring for '
'AI-generated scripts',
'Improve Docker security '
'configurations'],
'root_causes': ['Misconfigured Docker environment '
'(exposed API)',
'AI-generated malware bypassing '
'traditional defenses']},
'recommendations': ['Implement behavioral detection for AI-generated malware',
'Proactively patch vulnerabilities like React2Shell',
'Secure Docker environments by avoiding exposed APIs'],
'references': [{'source': 'Darktrace CloudyPots Honeypot Network'}],
'response': {'enhanced_monitoring': 'Behavioral detection (Darktrace)'},
'title': "AI-Generated Malware Exploits 'React2Shell' in Low-Skill "
'Cyberattack Campaign',
'type': 'Malware Campaign',
'vulnerability_exploited': 'React2Shell'}