By rssfeeds-admin 
The findings come from the WXA Internet Abuse Signal Collective (WXA IASC), which correlated NetFlow telemetry, honeypot data, and enrichment datasets to map the infrastructure behind the campaign.
React2Shell was publicly disclosed on December 4, 2025. Within approximately 20 hours, WXA’s Niihama honeypot sensors observed active exploitation attempts.
Early traffic showed attackers using HTTP POST requests with a Next-Action: x header an indicator tied to React Server Actions. Payloads were sent as multipart/form-data with consistent content lengths, targeting paths such as:
- /_next/flight
- /_next/server-actions
- /_react/flight
- /_next/webpack-hmr
- /login and /api/login
Over the first month after disclosure, more than 1,500 exploit attempts were recorded from over 70 unique IP addresses across multiple countries, demonstrating rapid global weaponization.
Centralized Infrastructure and Operator Toolkit
WXA telemetry highlights extreme infrastructure centralization around two Netherlands-hosted IP addresses:
- 193.142.147[.]209
- 87.121.84[.]24
Over a three-month observation window, these systems generated more than 22 million NetFlow records, interacting with millions of distinct source and destination IP addresses.
Independent GreyNoise reporting confirmed that these same IPs accounted for over half of the observed React2Shell exploitation traffic during the monitored period.
One of these hosts, 87.121.84[.]24, was directly tied to a cohesive exploit framework the ILOVEPOOP toolkit. This toolkit operates across nine scanner nodes hosted on providers in Poland, Germany, Bulgaria, and the Netherlands.
Across a 30-day window, the toolkit generated 672 exploit attempts, all sharing identical characteristics:
- Next-Action: x header
- Static X-Nextjs-Request-Id: poop1234
- Per-request X-Nextjs-Html-Request-Id: ilovepoop_* identifiers
- Payload sizes between 507 and 522 bytes
- A six-path route sweep: /, /_next, /api, /_next/server, /app, /api/route
- A rotating pool of 11 User-Agent strings
This uniform structure strongly suggests a single operator or tightly controlled toolkit rather than independent opportunistic scanners.
Multi-Protocol Exploitation and ICS Reconnaissance
In addition to HTTP-based exploitation, the campaign displayed unusual multi-protocol behavior. Honeypot telemetry captured one scanner attempting to deliver a React2Shell payload via a POP3 daemon.
This suggests either:
- A protocol-agnostic exploit engine capable of reusing the same RSC primitive across services
- Or a broad “spray-and-pray” delivery attempting to bypass port-based inspection
Separately, 87.121.84[.]24 conducted short bursts of DNP3 traffic an industrial control system (ICS) protocol indicating reconnaissance beyond web targets.
Within U.S.-sourced NetFlow interactions, approximately 65,000 high-confidence records were tied to identifiable organizations after enrichment. The largest exposure categories included:
- SaaS and software platforms
- Retail and eCommerce
- Government agencies
- Education and research
- Healthcare
According to WhoisXMLAPI, importantly, 669 IPs observed communicating with the Netherlands exploit servers later conducted hostile actions against Niihama honeypots. These included:
- 23,415 SMB attempts
- 17,405 RDP attempts
- 7,772 SSH attempts
- More than 25,000 credential abuse attempts
In 91 cases, NetFlow telemetry detected interaction with exploit infrastructure a median of 45 days before direct honeypot attacks demonstrating strong early-warning value.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post React2Shell Flaw Weaponized by ILOVEPOOP Attack Framework appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.