A sophisticated threat actor is using a toolkit called "ILovePoop" to scan for servers vulnerable to the critical React2Shell flaw, targeting high-value networks in government, defense, and finance. The attacks have evolved from opportunistic, automated campaigns to more sophisticated operations, with evidence suggesting possible state-sponsored espionage. The React2Shell vulnerability, a maximum-severity remote code execution flaw, continues to be exploited months after its disclosure, impacting tens of thousands of exposed instances.
Attackers Use New Tool to Scan for React2Shell Exposure
Researchers say threat actors wielded the sophisticated — and unfortunately named — toolkit to target high-value networks for React2Shell exploitation.
New data suggests a cyber espionage group is laying the groundwork for attacks against major industries.
The "React2Shell" vulnerability is already almost a few months old, but it's far from over. An unknown but possibly state-sponsored threat actor has been using a newly discovered, maturely named toolkit — "ILovePoop" — to probe tens of millions of Internet protocol (IP) addresses worldwide, looking for opportunities to exploit React2Shell. A report from WhoisXML API, shared with Dark Reading, suggests the threat actor might be out for big game: government, defense, finance, and industrial organizations, among others, around the world but particularly in the United States.
"What's been most striking over the past couple of months is how the threat landscape around this vulnerability has evolved in layers," says Anna Pham, senior hunt and response analyst at Huntress. "The initial wave was dominated by opportunistic, largely automated exploitation — spray-and-pray campaigns deploying cryptominers and botnet payloads. We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems."
A few months later, the situation has yet to calm down, Pham says. "There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals. It has also been confirmed in ransomware campaigns," she says.
The big difference now is that the attacks have gotten more sophisticated, as the attackers have had more time to gameplan. "The post-exploitation tradecraft has gotten more sophisticated over time. We are seeing things like PeerBlight's use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns," Phams says.
Hackers Go Big Game Hunting
CVE-2025-55182, also known as React2Shell, was first disclosed publicly on Dec. 3, 2025. It's a remote code execution (RCE) vulnerability in React Server Components, which affects untold hundreds of thousands of websites. With no more than a single Web request — sometimes, with no authentication required — attackers can exploit React2Shell to take full control of vulnerable Web servers. That's why it earned a rare, maximum-severity 10 out of 10 in the Common Vulnerability Scoring System (CVSS).
Severe globe-spanning RCE vulnerabilities like React2Shell and Log4Shell offer immense opportunity for hackers. Organizations need to know about these vulnerabilities in order to patch them, so the information must be disclosed publicly. Still, many organizations will inevitably be slow to mitigate them, leaving a wide window for n-day attacks. Within hours of the first React2Shell disclosure, Chinese state-sponsored attackers began exploiting it in cloud and enterprise environments. Suspected state-sponsored actors from Iran and North Korea followed.
WhoisXML API thinks the group it's tracking may also be involved in state-sponsored espionage. For one thing, researchers say that, despite the name, the ILovePoop toolkit appears rather sophisticated. And, they believe, the actor who wrote the program might not be the same one that deployed it.
Its next, circumstantial evidence is the nature of the actor's targeting. Among the more than 37,000 networks it probed are:
NASA facilities
The Department of Defense Intelligence Information System, and Defense Information Systems Agency (DISA)
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Pinging a network isn't the same thing as compromising it. Still, the researchers warned that this early stage of reconnaissance has, in some cases, preceded actual attacks. Some IP addresses used to launch React2Shell attacks in recent months first showed up in network telemetry, on average, around 45 days before they pulled the trigger.
React2Shell Patching Issues
Patching a deep-rooted vulnerability like React2Shell isn't as simple as clicking an "Update" button.
For one thing, Pham explains, there's a dependency visibility problem specific to the vulnerable React framework Next.js. She explains that "Next.js doesn't include React as a traditional dependency, it bundles it as a 'vendored' package. That means many standard dependency scanning tools don't automatically flag Next.js installations as vulnerable to CVE-2025-55182. Organizations may genuinely not realize they're exposed unless they specifically check for it."
More broadly, she adds that modern deployment environments make patching difficult at scale. "Applications often run in containerized environments across cloud infrastructure with multiple instances and build pipelines," she says. "Internal tools, shadow IT deployments, and legacy applications built on Next.js that nobody is actively maintaining but are still exposed to the internet all contribute to the long tail of unpatched systems. React2Shell affects default configurations, so even blank Next.js apps created with create-next-app are vulnerable, there are test environments and staging servers out there that people have forgotten about."
"And finally, there was genuine confusion early on. A huge number of fake and non-functional proof-of-concept exploits circulated in the days after disclosure, which may have given some security teams a false sense that the vulnerability was overhyped or harder to exploit than it actually is. In reality, the genuine exploit is trivially reliable and requires no authentication whatsoever."
It couldn't have helped that, amid all the confusion, React had to publish follow-on updates for extra vulnerabilities that researchers discovered in the days after React2Shell's disclosure.
Pham concludes, "This vulnerability has become a staple in multiple threat actors' playbooks, and I don't see exploitation slowing down anytime soon."
Meridiano
