There's Payloads, And Then There's pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks
ATT&CK techniques detected
T1059.004Unix Shell
77%
"mirai shell script and prompted an ai with something like : " wrap this shell script in a node. js / next. js executor using base64 obfuscation. " the llm then generated the code structure but " forgot " to actually encode the string. the attacker, lacking the skill to code it th…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.004Unix Shell
36%
"non - functional history command suggests the below - average author copy - pasted a generic " pentest cheat sheet " to save time. there is zero attempt to install persistence, download malware, or pivot to other systems, and the verbosity indicates the slinger doesn ' t care if …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.