TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting

editor · 2026-04-22 · Read original ↗

ATT&CK techniques detected

15 predictions
T1190Exploit Public-Facing Application
99%
“file containing targets and a lease file defining the exploit type. these files show the operator obtaining target feeds from zip archives hosted on cs2. ip. thc. org, assigning the cve _ 2025 _ 55182 module, and deploying a payload intended to enumerate. env files, cloud metadat…”
T1552.001Credentials In Files
85%
“of. env files yielding credentials across ai, cloud, payments, messaging, and databases. artifacts suggest the operator was also validating and prioritizing the most useful access. - the host also exposed telegram - based alerting and command infrastructure tied to the broader bi…”
T1525Implant Internal Image
79%
“application tiers through a logged proxy so a compromised host can ’ t quietly reach cloud metadata, payment apis, or attacker infrastructure. - rotate and detect. rotate credentials on a schedule, scan source code and built artifacts for embedded secrets, and plant canary tokens…”
T1213.002Sharepoint
75%
“the contents showed that this infrastructure was not being used simply to store opportunistically stolen data, but instead supported an organized operation built to acquire access at scale and operationalize the highest - value results. artifacts on the host showed that react2she…”
T1102Web Service
65%
“cluster attributable to victim c, generalized here as a mid - sized payroll, hr, and stablecoin payments platform, contained payroll, settlement, fireblocks integration, and hris - related material. in both cases ( victim b / c ), the initial access path remains unknown. adversar…”
T1213Data from Information Repositories
63%
“the contents showed that this infrastructure was not being used simply to store opportunistically stolen data, but instead supported an organized operation built to acquire access at scale and operationalize the highest - value results. artifacts on the host showed that react2she…”
T1213.002Sharepoint
50%
“. thank you to renzon cruz ( @ r3nzsec ) and zach stanford ( @ svch0st ) for their contributions to this report. disclosure & contact given the sensitivity of the material recovered from this exposed server, we will not be publicly disclosing the associated ip address. law enforc…”
T1213Data from Information Repositories
46%
“bissa scanner exposed : ai - assisted mass exploitation and credential harvesting bissa scanner exposed : ai - assisted mass exploitation and credential harvesting key takeaways - we recently discovered an exposed server that was used for multi - victim exploitation, staging, rev…”
T1592.003Firmware
45%
“##canner / project show the operator using claude code to read the scanner codebase, understand lease and acknowledgement flow, troubleshoot misses, review benchmark output, and document the project well enough to rebuild parts of the acquisition layer. the project outputs includ…”
T1552.004Private Keys
44%
“secrets the credential haul spanned every tier of modern saas, with ai providers emerging as the single largest category. dumped credentials included the following platform - related keys : by volume, the haul was equally striking : victims next, we highlight three victims whose …”
T1552.001Credentials In Files
43%
“secrets the credential haul spanned every tier of modern saas, with ai providers emerging as the single largest category. dumped credentials included the following platform - related keys : by volume, the haul was equally striking : victims next, we highlight three victims whose …”
T1074.002Remote Data Staging
41%
“. thank you to renzon cruz ( @ r3nzsec ) and zach stanford ( @ svch0st ) for their contributions to this report. disclosure & contact given the sensitivity of the material recovered from this exposed server, we will not be publicly disclosing the associated ip address. law enforc…”
T1564.001Hidden Files and Directories
38%
“. thank you to renzon cruz ( @ r3nzsec ) and zach stanford ( @ svch0st ) for their contributions to this report. disclosure & contact given the sensitivity of the material recovered from this exposed server, we will not be publicly disclosing the associated ip address. law enforc…”
T1074.001Local Data Staging
34%
“, cvss 9. 0 ). in the module we recovered, only the version - check logic was present, the rce payload itself was not available, and we did not find evidence of successful exploitation via this module. data exfiltration via s3 the operator used s3 - compatible filebase as an off …”
T1213Data from Information Repositories
31%
“. thank you to renzon cruz ( @ r3nzsec ) and zach stanford ( @ svch0st ) for their contributions to this report. disclosure & contact given the sensitivity of the material recovered from this exposed server, we will not be publicly disclosing the associated ip address. law enforc…”

Summary

Key Takeaways We identified an exposed server that provided unusual visibility into a large-scale, multi-victim exploitation and collection operation. Artifacts on the host showed that Claude Code and OpenClaw were embedded in the operator’s day-to-day workflow, supporting troubleshooting, orchestration, and refinement of the collection pipeline. This AI-assisted workflow resulted in the modular platform Bissa scanner […]

The post Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting appeared first on The DFIR Report.