TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE CYBER RISK NEWS Attackers Use New Tool to Scan for React2Shell Exposure Researchers say threat actors wielded the sophisticated — and unfortunately named — toolkit to target high-value networks for React2Shell exploitation. Nate Nelson,Contributing Writer February 20, 2026 5 Min Read SOURCE: ARAKI ILLUSTRATIONS VIA ALAMY STOCK PHOTO New data suggests a cyber espionage group is laying the groundwork for attacks against major industries. The "React2Shell" vulnerability is already almost a few months old, but it's far from over. An unknown but possibly state-sponsored threat actor has been using a newly discovered, maturely named toolkit — "ILovePoop" — to probe tens of millions of Internet protocol (IP) addresses worldwide, looking for opportunities to exploit React2Shell. A report from WhoisXML API, shared with Dark Reading, suggests the threat actor might be out for big game: government, defense, finance, and industrial organizations, among others, around the world but particularly in the United States. "What's been most striking over the past couple of months is how the threat landscape around this vulnerability has evolved in layers," says Anna Pham, senior hunt and response analyst at Huntress. "The initial wave was dominated by opportunistic, largely automated exploitation — spray-and-pray campaigns deploying cryptominers and botnet payloads. We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems." Related:'God-Like' Attack Machines: AI Agents Ignore Security Policies LOADING... A few months later, the situation has yet to calm down, Pham says. "There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals. It has also been confirmed in ransomware campaigns," she says. The big difference now is that the attacks have gotten more sophisticated, as the attackers have had more time to gameplan. "The post-exploitation tradecraft has gotten more sophisticated over time. We are seeing things like PeerBlight's use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns," Phams says. Hackers Go Big Game Hunting LOADING... CVE-2025-55182, also known as React2Shell, was first disclosed publicly on Dec. 3, 2025. It's a remote code execution (RCE) vulnerability in React Server Components, which affects untold hundreds of thousands of websites. With no more than a single Web request — sometimes, with no authentication required — attackers can exploit React2Shell to take full control of vulnerable Web servers. That's why it earned a rare, maximum-severity 10 out of 10 in the Common Vulnerability Scoring System (CVSS). Severe globe-spanning RCE vulnerabilities like React2Shell and Log4Shell offer immense opportunity for hackers. Organizations need to know about these vulnerabilities in order to patch them, so the information must be disclosed publicly. Still, many organizations will inevitably be slow to mitigate them, leaving a wide window for n-day attacks. Within hours of the first React2Shell disclosure, Chinese state-sponsored attackers began exploiting it in cloud and enterprise environments. Suspected state-sponsored actors from Iran and North Korea followed. Related:Lessons From AI Hacking: Every Model, Every Layer Is Risky WhoisXML API thinks the group it's tracking may also be involved in state-sponsored espionage. For one thing, researchers say that, despite the name, the ILovePoop toolkit appears rather sophisticated. And, they believe, the actor who wrote the program might not be the same one that deployed it. Its next, circumstantial evidence is the nature of the actor's targeting. Among the more than 37,000 networks it probed are: NASA facilities The Department of Defense Intelligence Information System, and Defense Information Systems Agency (DISA) The state governments of Vermont and North Carolina The city governments of Phoenix, Boston, and San Diego Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets Related:Supply Chain Attack Secretly Installs OpenClaw for Cline Users Pinging a network isn't the same thing as compromising it. Still, the researchers warned that this early stage of reconnaissance has, in some cases, preceded actual attacks. Some IP addresses used to launch React2Shell attacks in recent months first showed up in network telemetry, on average, around 45 days before they pulled the trigger. React2Shell Patching Issues Patching a deep-rooted vulnerability like React2Shell isn't as simple as clicking an "Update" button. For one thing, Pham explains, there's a dependency visibility problem specific to the vulnerable React framework Next.js. She explains that "Next.js doesn't include React as a traditional dependency, it bundles it as a 'vendored' package. That means many standard dependency scanning tools don't automatically flag Next.js installations as vulnerable to CVE-2025-55182. Organizations may genuinely not realize they're exposed unless they specifically check for it." More broadly, she adds that modern deployment environments make patching difficult at scale. "Applications often run in containerized environments across cloud infrastructure with multiple instances and build pipelines," she says. "Internal tools, shadow IT deployments, and legacy applications built on Next.js that nobody is actively maintaining but are still exposed to the internet all contribute to the long tail of unpatched systems. React2Shell affects default configurations, so even blank Next.js apps created with create-next-app are vulnerable, there are test environments and staging servers out there that people have forgotten about." "And finally, there was genuine confusion early on. A huge number of fake and non-functional proof-of-concept exploits circulated in the days after disclosure, which may have given some security teams a false sense that the vulnerability was overhyped or harder to exploit than it actually is. In reality, the genuine exploit is trivially reliable and requires no authentication whatsoever." It couldn't have helped that, amid all the confusion, React had to publish follow-on updates for extra vulnerabilities that researchers discovered in the days after React2Shell's disclosure. Pham concludes, "This vulnerability has become a staple in multiple threat actors' playbooks, and I don't see exploitation slowing down anytime soon." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers by Nate Nelson, Contributing Writer JAN 20, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 APPLICATION SECURITY Microsoft Rolls Out Fresh Fix After Faulty Windows Update by Kristina Beek, Associate Editor, Dark Reading FEB 27, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Pa