{
  "name": "AI/LLM-Generated Malware Used to Exploit React2Shell",
  "slug": "aillm-generated-malware-used-to-exploit-react2shell",
  "description": "Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container named 'python-metrics-collector' on an exposed Docker daemon, downloading and executing a Python script, and deploying a XMRig crypto miner. The malware sample featured thorough code documentation and lacked typical obfuscation, indicating AI generation. This highlights the growing trend of AI-enabled cyber threats that are now operational and accessible to anyone, posing new challenges for defenders.",
  "published": "2026-02-10T16:46:07+00:00",
  "created_at": "2026-02-10T16:46:07+00:00",
  "modified_at": "2026-02-11T09:05:21+00:00",
  "created_at_opencti": "2026-02-10T16:46:07+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-10",
    "CVE-2025-55182",
    "ai-generated malware",
    "crypto mining",
    "llm",
    "react2shell",
    "xmrig"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "49.36.33.11"
      },
      {
        "id": "",
        "name": "594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b"
      },
      {
        "id": "",
        "name": "d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:83adebc6ef4eb478",
        "name": "XMRig",
        "slug": "xmrig"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd",
        "name": "T1498"
      },
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-55182"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "smplu.link"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/698b6edf3ed1fb010015cd2d",
    "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN"
  ]
}