To Cache A Predator: ILOVEPOOP Toolkit Discovery, Global Traffic & Honeypot Observations Exploiting React2Shell (CVE-2025-55182)

Executive Summary

This report inaugurates To Cache A Predator, a threat research series from the WXA Internet Abuse Signal Collective (WXA IASC) that correlates open and closed source data - including global telemetry, enrichment datasets, and honeypot observations - to track attacker infrastructure and tactics across global networks. This first episode consolidates our current findings on CVE-2025-55182 (“React2Shell”).

Across WXA IASC NetFlow-derived telemetry, U.S. exposure enrichment, and Niihama honeypot data, React2Shell-associated activity shows a coherent campaign defined by:

• Honeypot-anchored early visibility. Niihama sensors saw exploitation attempts within ~20 hours of the public React2Shell disclosure on December 4, 2025 (UTC), capturing early exploit mechanics and attacker fingerprinting before later overlap analysis.
• Persistent, active scanning over time. Beyond the initial December exploitation window, Niihama continued to record active React2Shell and Next.js-focused scanning—894 total requests from 43 unique scanner IPs (Jan 5th–Feb 6th 2026)—including targeted probing of /_next/server and large-scale bundle hunting in /_next/static/*.
• Extreme infrastructure centralization around two Netherlands-hosted systems. WXA IASC observed 22,311,468 NetFlow records involving two Netherlands-hosted nodes and millions of distinct counterparties: 2,951,298 unique source IPs and 14,769,975 unique destination IPs (2025-11-01 to 2026-02-03).
• Independent corroboration and internal validation. GreyNoise reported these same two IPs accounted for 56% of a week’s React2Shell exploitation traffic hitting their honeypots (https://www.greynoise.io/blog/react2shell-exploitation-consolidates). In WXA IASC data, these IPs were also directly observed interacting with our Niihama honeypots and form the initial, known exploit server set used to analyze counterparties, global traffic patterns, and downstream behavior.
• A recognizable, single-operator React2Shell toolkit—novel and previously unreported. WXA IASC telemetry reveals a cohesive ILOVEPOOP React2Shell toolkit operating across nine scanner nodes on MEVSPACE, Techoff Srv, 1337 Services, Ititan, and Vpsvault infrastructure. Over a 30-day window this toolkit generated 672 exploit attempts, all sharing the same exploit headers (Next-Action: x, X-Nextjs-Request-Id: poop1234, per-attempt X-Nextjs-Html-Request-Id: ilovepoop_*), a six-path Next.js route sweep, and a shared pool of 11 User-Agents. One of the two Netherlands-aligned core exploitation IPs (87.121.84.24) runs this toolkit, tying the campaign’s most centralized infrastructure directly to a specific, reusable exploit stack. To our knowledge, this toolkit has not been publicly documented prior to this research.
• Highly distributed U.S. target scanning across thousands of identifiable organizations. After ISP and access-network noise is filtered out and asset ownership is enriched via WXA IASC partner Attaxion, the resulting signal is consistent with automated, large-scale scanning rather than narrow, bespoke targeting.
• Honeypot-validated hostile behavior and early warning. During the 2025-12-27 to 2026-02-04 Niihama observation window, 669 IPs that communicated with the same exploit servers generated SMB/RDP/SSH/HTTP attacks and credential abuse against WXA IASC’s Niihama honeypot, and many of them appear in NetFlow telemetry weeks before direct hostile interaction.

These findings represent evidence of hostile activity and infrastructure use, not proof of successful compromise of any specific organization.

WXA IASC leverages packet sampling across various partner networks to analyze NetFlow-derived signals. Wherever sampled flow traffic is observed, there is likely significantly more related traffic present upstream in provider PCAP, which defenders may be able to analyze in their own environments. For collaboration or access to supporting data, contact [email protected].

Scope, Data Sources, and Interpretive Frame

This analysis draws on four complementary WXA IASC datasets:

• Global NetFlow-derived telemetry (2025-11-01 to 2026-02-03)
  Used to quantify interaction scale, infrastructure centralization, protocol/port usage, and geographic dispersion around known React2Shell exploitation servers.
• U.S. Network exposure enrichment (2025-12-01 to 2026-02-02)
  Collaboration with Attaxion to derive an asset-level exposure signal for identifiable U.S. organizations by combining high-identifiability filtering with RDAP/WHOIS/DNS enrichment and organizational categorization. WXA provides bulk downloads of SSL, IP, RDAP/WHOIS, DNS, and passive DNS datasets that Attaxion’s discovery engine uses for machine-learning–driven entity resolution and IP-to-organization mapping, including differentiation between dedicated and shared IP space.
• Niihama honeypot interaction logs
  • Early exploitation sample: 2025-12-05 to 2025-12-12 (UTC), focused on detecting initial React2Shell exploit attempts and characterizing scanner infrastructure and tooling.
  • Overlap and multi-protocol behavior: 2025-12-27 to 2026-02-04 (UTC), used to validate hostile intent, characterize post-exploitation behavior (SMB/RDP/SSH/HTTP and credential abuse), and measure NetFlow “seen-first” lead time.

NetFlow shows how traffic moves at scale and which systems interact with known exploit infrastructure; honeypot logs show what hostile sources actually do when they reach exposed services. Together, these views support a coherent infrastructure-and-behavior picture of the React2Shell campaign.

Early Niihama Observations: Exploit Traffic Within 20 Hours of Disclosure

Niihama’s earliest React2Shell-related telemetry captures attackers moving quickly after disclosure, before the broader overlap window analyzed later in this report.

20 Hours from Disclosure to Exploitation

On December 4, 2025 (UTC), the React team publicly disclosed CVE-2025-55182 (“React2Shell”) on the React blog. Within ~20 hours, Niihama sensors began recording exploit attempts against internet-facing honeypots emulating vulnerable Next.js/React Server Components behavior.

Across December 5–8, 2025, one Bulgarian VPS-hosted IP - 85.11.167[.]3 (ASN 213438, ColocaTel Inc., Sofia) - generated 90+ exploit attempts against multiple Niihama nodes.

Observed Attack Pattern

The early activity followed a consistent React Server Actions exploitation pattern:

• HTTP POST requests over HTTP (tcp/80) and HTTPS (tcp/443)
• Next-Action: x header (React Server Components / Server Actions indicator)
• Content-Type: multipart/form-data with varying boundaries
• Content size ~1099 bytes (consistent payload size)
• Targeting multiple Next.js endpoints including:
  /_next/flight, /_next/server-actions, /_react/flight, /_next/webpack-hmr
• Also targeting application login paths such as /login and /api/login

Behaviorally, 85.11.167[.]3 often hit /login endpoints first, then escalated to React/Next-specific paths, indicating a mix of generic reconnaissance and React2Shell-specific probing.

Attacker Fingerprinting

For this Bulgarian scanner, Niihama captured:

• Source IP: 85.11.167[.]3 (Sofia, Bulgaria; ASN 213438, ColocaTel Inc.—likely VPS/hosting)
• User Agent: Firefox 89 on Linux (likely spoofed/scanner)
• JA4 fingerprint: t13i130900_f57a46bbacb6_e7c285222651
• TLS: TLSv1.3 with TLS_AES_128_GCM_SHA256

These fingerprints provide high-fidelity selectors for defenders hunting for early-stage activity in reverse proxies and TLS logs.

Early Campaign Breadth

Looking beyond the first 72 hours and across the broader early post-disclosure period, Niihama telemetry indicates more than a one-off probe:

• 70+ unique attacker IPs over roughly the first month of React2Shell exploitation
• 1,500+ total attack attempts captured
• Global footprint touching Poland, Bulgaria, France, Germany, Russia, India, China, the U.S., Canada, Laos, Vietnam, and others

This shows both rapid weaponization and fast distribution of scanning across multiple providers and regions.

Recent React2Shell / Next.js Scanning Profile (Jan 5th - Feb 6th 2026)

Beyond the initial December exploitation window, Niihama continues to record active React2Shell and Next.js-focused scanning. Over this Jan 5th–Feb 6th 2026 window, WXA IASC sensors observed:

• 894 total React2Shell/Next.js-related HTTP requests
• 43 unique scanner IPs (up from 24 in the prior 7-day slice—nearly 3× the volume)

Endpoint distribution

• 722 hits on /_next/static/* – bulk scanning for JavaScript bundles, likely to harvest credentials, API keys, or configuration from exposed frontend artifacts
• 112 hits on /_next/server – direct server component probing aligned with the React2Shell vector
• 33 hits on /_next/data/* – server-side data route probing
• 16 hits on /.next/ – exposed build directory crawling

Key scanner clusters

• Akamai/Linode fleet (~8 IPs, 430+ hits). Distributed across Australia, Japan, India, Singapore, and the UK. These nodes run a consistent enumeration tool against /_next/static/, probing filenames such as secrets.js, env.js, config.js, api.js—behavior consistent with credential and configuration harvesting from bundled JavaScript.
• MEVSPACE Poland (3 IPs: 95.214.55[.]246, 195.3.222[.]78, 195.3.222[.]218 – 57 hits). Traffic almost exclusively to /_next/server, representing the most React2Shell-specific probing in the set. At least one of these IPs also participates in wide multi-protocol scanning (SMTP, HTTP(S), POP3, LDAP, SOCKS5, DNP3, Modbus, FTP, Telnet, SMB, IMAP), indicating a botnet or toolkit doing both broad service enumeration and targeted Next.js exploitation.
• Bucklog SARL France (185.177.72.0/24, ~8 IPs, ~52 hits). Probing /_next/data/*/about.json and /_next/static/* with wildcards—structured reconnaissance of Next.js apps that exposes metadata and static assets.
• Google Cloud (4 IPs across Taiwan, India, Singapore, Hong Kong – 100+ hits). Primarily static chunk enumeration on /_next/static/*, similar in behavior to the Akamai/Linode fleet.
• Contabo France (3 IPs, ~8 hits). Focused on /.next/ directory probing, checking for fully exposed Next.js build directories.
• Datacamp, US (37.19.197[.]145). Specifically hunting /_next/.env and /.next/.env, a direct attempt to retrieve environment files.
• Techoff Srv, Bulgaria (195.178.110[.]223). Targeting .js.map source map files (main.js.map, webpack.js.map, framework.js.map) to reconstruct original source code for deeper analysis or exploit development.

Within this broader set, one cluster dominates React2Shell exploitation itself: the nine-node ILOVEPOOP toolkit, responsible for 672 of the 894 React2Shell/Next.js exploit attempts and described in detail below.

Exploitation Infrastructure: Two Netherlands-Hosted Nodes at the Campaign Core

Across the global dataset, two Netherlands-hosted systems emerge as dominant interaction endpoints associated with React2Shell activity:

• 193.142.147[.]209 (netname: Colocatel-IP-Range, Netherlands)
• 87.121.84[.]24 (netname: VPSVAULT.HOST LTD, Netherlands)

GreyNoise independently identified these same two IPs as accounting for 56% of observed React2Shell exploitation traffic on their honeypot sensors during January 26–February 2, 2026. Within WXA IASC telemetry, these two systems anchor virtually the entire observable campaign footprint and act as high-leverage pivots for clustering related activity.

Global Interaction Scale

To study preceding behavior involving the exploitation infrastructure, WXA IASC studied a range between November 1, 2025 and February 3, 2026, WXA IASC observed:

• 22,311,468 NetFlow records involving these two systems
• 2,951,298 unique source IPs
• 14,769,975 unique destination IPs

Statistics by Host

193.142.147[.]209

• 16,964,571 source-role flows
• 4,808,222 destination-role flows
• 21,772,793 combined records

87.121.84[.]24

• 458,636 source-role flows
• 80,051 destination-role flows
• 538,687 combined records

The persistent appearance of these systems as both traffic initiators and receivers is consistent with active exploitation infrastructure, not passive scanning nodes. In addition to React2Shell activity, it appears that these hosts are involved in broader malicious behavior than just React2Shell.

193.142.147[.]209: Multi-Exploit, Mirai-Like Scanning Behavior

Recent Niihama honeypot telemetry shows 193.142.147.209 behaving like a multi-purpose IoT/Mirai-style scanner layered on top of its React2Shell role:

• 2,533 total events over 30 days, split across HTTP, HTTPS, and Telnet
• HTTP scanning profile:
  • / – 2,484 hits (liveness / banner checks)
  • /cgi-bin/luci/;stok=/locale – 39 hits (OpenWrt/LuCI authentication bypass, CVE-2023-1389, widely used by Mirai variants)
  • /uploads/user – 6 hits (file-upload directory probing)
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php – 2 hits (PHPUnit RCE, CVE-2017-9841)
  • /rest/id-pools/executeCommand – 2 hits (REST API command-injection attempts)
• Telnet sessions (35 hits, Jan 13–16):
  • All login attempts used root / admin default credentials
  • No successful authentication; no commands issued post-auth

This profile is consistent with commodity botnet infrastructure using 193.142.147.209 to probe routers, IoT systems, PHP applications, and APIs—while also serving as a high-volume React2Shell exploitation node.

87.121.84[.]24: Confirmed React2Shell Operator with ICS Scanning

By contrast, 87.121.84[.]24 exhibits a clean, high-fidelity React2Shell attack profile combined with industrial control system (ICS) reconnaissance:

• 104 total events across HTTP (46) and DNP3 (58) over 30 days (Jan 8–Feb 1)
• Four React2Shell attack waves targeting multiple hosts:
  • Jan 8: 170.64.236[.]219:80 – 30-request sweep
  • Jan 12: 170.64.236[.]219:80 – 6-request repeat sweep
  • Jan 21: 168.119.228[.]133:80 – 6-request sweep
  • Feb 1: 5.223.74[.]251:80 – 4-request partial sweep

Each wave follows a textbook React2Shell methodology: POST with Next-Action: x, multipart WebKit boundaries, X-Nextjs-Request-Id: poop1234 (static), X-Nextjs-Html-Request-Id: ilovepoop_* (unique per attempt), payload size 507–522 bytes, and six-path enumeration per sweep (/ → /_next → /api → /_next/server → /app → /api/route). User-Agents rotate across multiple fingerprints.

In addition, 58 DNP3 connections appear in a 30-minute burst on January 20—between the second and third React2Shell waves—indicating that this host also scans ICS protocols. This positions 87.121.84[.]24 as a purpose-built React2Shell operator node embedded in a larger multi-protocol scanning toolkit, and one of the nine nodes in the ILOVEPOOP toolkit cluster described below.

The ILOVEPOOP React2Shell Toolkit (One Operator, Nine Nodes)

Within the 30-day corpus of hosts performing React2Shell scanning , WXA IASC identifies a distinct operator-level toolkit we refer to as the ILOVEPOOP React2Shell toolkit. It accounts for 672 exploit attempts across nine scanner nodes, all exhibiting an identical fingerprint.

Shared Infrastructure Profile

The nine scanner IPs:

• 95.214.55[.]246 – 222 hits – Poland – MEVSPACE (AS201814)
• 195.178.110[.]25 – 180 hits – Bulgaria – Techoff Srv (AS48090)
• 2.58.56[.]147 – 72 hits – Netherlands – 1337 Services (AS210558)
• 195.3.222[.]78 – 60 hits – Poland – MEVSPACE (AS201814)
• 195.3.222[.]218 – 60 hits – Poland – MEVSPACE (AS201814)
• 87.121.84[.]24 – 46 hits – US-registered Vpsvault.host (AS215925), hosted in NL
• 146.19.24[.]133 – 18 hits – Poland – MEVSPACE (AS201814)
• 82.23.183[.]131 – 9 hits – Germany – Ititan Hosting (AS214062)
• 82.23.183[.]144 – 5 hits – Germany – Ititan Hosting (AS214062)

Infrastructure breakdown: four nodes on MEVSPACE (Poland), two on Ititan (Germany), and one each on Techoff (Bulgaria), 1337 Services (Netherlands), and Vpsvault (U.S.-registered).

Identical Exploit Structure

Across all nine nodes:

• Every request is a POST with Next-Action: x.
• Content-Type: multipart/form-data with ------WebKitFormBoundaryx* boundaries.
• Spoofed Next.js internal headers:
  • X-Nextjs-Request-Id: poop1234 (static across all attempts)
  • X-Nextjs-Html-Request-Id: ilovepoop_* (unique per attempt)
• Payload sizes cluster in the 507–522 byte range.
• Each exploit wave iterates through the same six paths:
  / → /_next → /api → /_next/server → /app → /api/route
• Each path gets its own unique ilovepoop_* callback identifier (exploitable endpoints call back with that ID).

Rotating User-Agent Pool

All nine nodes draw from the same pool of 11 User-Agents, rotated in a consistent pattern:

• Desktop browsers: Chrome/Windows, Edge/Windows, Firefox/Windows, Chrome/Mac, Chrome/Linux, Chrome/ChromeOS
• Mobile and embedded: Safari/iPhone, Chrome/Android 14 (Galaxy Fold 5), Chrome/Android 10
• TV/box devices: Fire TV Stick (AFTWMST22), NEO-X5-116A (Android box, he-il locale)

Operational Rotation

The toolkit’s infrastructure evolves over time rather than firing from all nodes at once:

• Jan 8–21: 95.214.55[.]246 and 87.121.84[.]24 act as main and backup nodes
• Jan 11–22: 195.3.222[.]78 joins as an additional scanner
• Jan 20–23: 195.178.110[.]25 becomes the primary node
• Jan 26–28: 195.3.222[.]218 and 82.23.183[.]144 generate short bursts
• Feb 2–6: 2.58.56[.]147 takes over as the currently active Netherlands node
• Feb 4: 146.19.24[.]133 adds a brief burst

Cross-Protocol RSC Deserialization Exploit Attempt: POP3-Carried React2Shell Server Actions Payload (Key Observation)

Niihama telemetry captured one of the ILOVEPOOP hosts - 195.3.222[.]78 - attempting a React2Shell Server Actions exploit aimed at a POP3 daemon. In a bizarre, but interesting sequence, the attacker sends probes (including the self-identifying scatological header [pun intended]) to our IMAP sensor and then transmits an HTTP-shaped Server Actions request against POP3. 

Via our POP3 sensor (React2Shell Server Actions exploit payload):

• POST with NEXT-ACTION: header — This is the Server Actions indicator and aligns with the React2Shell unauthenticated RCE vector.
  
• X-NEXTJS-REQUEST-ID: and X-NEXTJS-HTML-REQUEST-ID: — Spoofed Next.js internal headers, consistent with attempts to mimic or satisfy Next.js / RSC request expectations.
  
• CONTENT-TYPE: MULTIPART/FORM-DATA with ------WEBKITFORMBOUNDARYX* boundaries — Multipart formatting consistent with the Server Actions exploitation pattern observed elsewhere, indicating the payload is structured to trigger vulnerable request parsing and downstream deserialization behavior.
  

RSC deserialization + prototype pollution

• Payload core:
  {"THEN":"$1:__PROTO__:THEN","STATUS":"RESOLVED_MODEL","REASON":-1,"VALUE":"{\"THEN\":\"$B\"}","_RESPONSE":{"_PREFIX":"R ...
  
  This structure is consistent with prototype pollution embedded inside an RSC (React Server Components) serialized model:
  
  • "THEN":"$1:__PROTO__:THEN" — The attacker uses an internal reference ($1) to reach __proto__, injecting into THEN in a way that plausibly targets Promise resolution semantics. In JavaScript, controlling a promise’s .then chain can create execution paths when that promise is resolved or awaited.
    
  • "STATUS":"RESOLVED_MODEL" — Signals to the Next.js/RSC parser that the object should be treated as already processed/resolved, increasing the chance the server trusts the attacker-supplied object graph and applies it without deeper validation.
  • "REASON": -1 — Negative reason tricks the error handling path.
    
  • "VALUE":"{\"THEN\":\"$B\"}"-  The $B is an RSC Flight reference to a "blob" type, which triggers code execution when the promise chain resolves via the polluted .then().
  • "_RESPONSE": {"_PREFIX": "R" — The R prefix marks this as a "row" in the RSC streaming protocol, causing it to be processed inline.
    
  • "$@0" — RSC Flight data reference — triggers the Server Action execution with the polluted prototype from field 1. Consistent with how Next.js tracks variables and values across the wire in the RSC/Flight protocol, suggesting the attacker is crafting payloads that “speak native” to internal serialization formats.
    

The attack flow is: the RSC runtime processes both form fields, field 1 pollutes the prototype chain, then field 2 triggers a server action that — because of the now-polluted .then() on __proto__ — executes attacker-controlled code when the action's Promise resolves.

Why this matters: This is a high-fidelity example of RSC deserialization exploitation (prototype pollution + resolved model manipulation) being aimed via POP3. This is either evidence of a multi-protocol exploitation engine capable of reusing a sophisticated React2Shell primitive across non-HTTP ingress paths OR the exploitation and delivery mechanisms were created by separate actors, with the exploitation mechanism being delivered in a “spray and pray” manner by less experienced operators. This activity demonstrates a protocol-agnostic delivery strategy. By targeting IMAP and POP3 with identical RSC-deserialization primitives, the actor is attempting to discover 'shadow' web services or bypass port-specific deep packet inspection (DPI), using unique canary IDs to map successful ingress paths across the entire attack surface.

Netherland’s Exploit Servers: Scan Targets, Responder Asymmetry, and Regional Signal

In analyzing the most-centralized two exploit servers by-volume (193.142.147[.]209), (87.121.84[.]24), their geographic footprint of React2Shell-associated traffic follows a pattern common to large-scale exploitation campaigns built around centralized attacker-controlled infrastructure interacting with globally distributed assets. In this context:

• Destination-side flows are most consistent with assets being scanned or probed for exploitability.
• Source-side flows outside the Netherlands may plausibly represent responses from scanned or interacting systems communicating back to attacker-controlled infrastructure, rather than independent attacker scanners.

Source-Side Concentration and Interpretation

Source traffic is overwhelmingly concentrated in the Netherlands (17.51M flows), where the two high traffic exploitation servers are hosted. Additional source-side traffic appears from the United States (2.34M), Brazil (237K), Germany (211K), and India (168K).

Destination-Side Scan Pressure by Region

Destination traffic gives the clearest view of where scan pressure is applied:

• United States – 5.33M destination flows (339.79 MB destination bytes)
• China – 1.33M destination flows; destination bytes (90.55 MB) far exceed source bytes (7.12 MB); concentrated in CMNET
• Western Europe – especially the United Kingdom (924K destination flows)
• East Asia – South Korea (1.39M), Japan (676K), Taiwan (88K)
• Latin America – Brazil appears on both source and destination sides (237K source vs. 122K destination flows); analysis supported by Centinela Security discovered that much of this scan pressure had heavily scanned developer assets on Banking, Government, and Energy & Utilities organizations
• South and Southeast Asia – including the Philippines and India; frequent appearances of port 0 and port 80

Across regions, pronounced destination-heavy distributions and source asymmetry anchored in the Netherlands indicate a campaign focused on exploit discovery and surface enumeration, not confirmed compromise or data exfiltration.

Protocol and Port Characteristics

Protocol mix:

• TCP: 20,869,935 flows (93.5%)
• ICMP: 1,401,731 flows (6.3%)
• UDP: 39,802 flows (0.2%)

Top destination ports:

• tcp/80: 4,461,525
• tcp/5555: 2,608,556
• tcp/443: 2,479,795
• tcp/23: 1,839,049
• tcp/0: 1,401,646

The observed traffic indicates a multi-vector campaign leveraging the React2Shell (CVE-2025-55182) RCE as a primary entry point, while simultaneously conducting broad infrastructure reconnaissance. The high volume of TCP/80 and TCP/443 flows likely represents the initial exploit attempts against the Next.js Flight protocol. The significant presence of TCP/5555 (ADB) and TCP/23 (Telnet) suggests a worm-like capability designed for lateral movement into IoT and Android environments (reminescent of Kimwolf) to establish persistent botnet nodes. Furthermore, the substantial TCP/0 traffic points toward OS fingerprinting and firewall evasion techniques, marking this as a coordinated effort to map internal network architectures and maximize the infection footprint across diverse device types.

Infrastructure Concentration by Netname

Dominant source-side netnames: Colocatel-IP-Range (16,964,571), VPSVAULTHOST (458,647), CLOUDFLARENET (198,845), AKAMAI (174,773), TC3NET (117,380).

Dominant destination-side netnames: Colocatel-IP-Range (4,808,222), CMNET (1,085,353), SK Broadband Co Ltd (1,042,667), Orange-Swiatlowod (494,108), TC3NET (447,368).

Identifiable U.S. Exposure: Asset-Level Signal

Between December 1, 2025 and February 2, 2026, approximately 2.34 million U.S.-sourced NetFlow interactions were observed communicating with the two Netherlands’ exploitation servers.

To derive a stronger asset-level exposure signal, WXA IASC applied a high-identifiability filter and incorporated enrichment support from Attaxion. WXA provides bulk downloads of SSL, IP, RDAP/WHOIS, DNS, and passive DNS data; Attaxion’s models use this to resolve which organizations own which IP ranges and to distinguish dedicated corporate space from shared or multi-tenant infrastructure.

High-identifiability dataset:

• 65,821 NetFlow records
• 3,420 unique U.S.-sourced netnames

Distribution characteristics:

• Top 10 netnames: 44.5% of records
• Top 50 netnames: 67.5%
• 81.9% of netnames have five or fewer records

Macro-category composition:

• Commercial & enterprise organizations: 45,550 records (69.2%)
• Internet & hosting infrastructure providers: 11,979 (18.2%)
• Government & public sector: 7,409 (11.3%)
• Financial services: 837 (1.27%)
• Healthcare: 22 (0.03%)
• Nonprofit: 24 (0.04%)

Micro-category highlights: SaaS / Software platforms (39,140; 59.5%), Retail & eCommerce (4,091), Workforce management & security platforms (2,977), Government agencies (2,918), ISP customer-assigned address space (2,715), Education & research institutions (2,644), Healthcare & life sciences (1,848), Media & entertainment (1,786), Email security platforms (1,677), Energy & utilities (1,435).

Niihama Honeypot Overlap: Hostile Behavior from React2Shell-Linked Sources

Every IP in the Niihama overlap subset analyzed below was also observed in NetFlow telemetry communicating with the two Netherlands-hosted React2Shell exploitation servers. The overlap set is validated through two independent signal paths—traffic to exploit servers and direct attack activity against exposed services.

Honeypot scope and attack types (2025-12-27 to 2026-02-04 UTC):

• 669 unique source IPs
• SMB: 23,415
• RDP: 17,405
• SSH: 7,772
• DNS: 3,860
• HTTP: 1,882
• Telnet: 1,338
• HTTPS: 850

Behavioral tags:

• Persistent activity: 228 IPs
• Automated behavior: 69
• Brute force: 52
• Credential stuffing: 49
• SSH brute force: 45
• High-volume behavior: 38

Credential abuse subset:

• 101 top source IPs by credential attempts
• 25,192 cumulative credential attempts
• 4,060 unique usernames
• 4,922 unique passwords
• Top two IPs: 68.8% of credential attempts; top ten: 83.4%

Example Niihama-Sourced IP Address IoCs

Based on Niihama telemetry (2025-12-27 to 2026-02-04 UTC) and WXA IASC threat scoring, the following 15 IP addresses stand out as high-priority indicators.

• 161.97.166[.]188 – France – Contabo GmbH – HTTP/80, Telnet/23, HTTPS/443
• 148.227.3[.]232 – Mexico – TOTAL PLAY TELECOMUNICACIONES SA DE CV – SSH/22
• 74.136.201[.]211 – United States – TWC-10796-MIDWEST – SSH/22
• 179.191.39[.]221 – Brazil – MHNET TELECOM – SSH/22
• 77.46.170[.]18 – Serbia – TELEKOM SRBIJA a.d. – HTTP/80, Telnet/23
• 197.167.196[.]178 – Egypt – LINKdotNET – SMB/445
• 167.86.125[.]252 – France – Contabo GmbH – Redis/6379
• 38.242.211[.]249 – France – Contabo GmbH – Redis/6379
• 207.180.209[.]181 – France – Contabo GmbH – Telnet/23
• 1.9.126[.]241 – Malaysia – TM Technology Services – Telnet/23
• 103.147.173[.]250 – India – Digiking Communications Pvt Ltd – SMB/445
• 210.86.225[.]196 – Vietnam – Netnam Company – SMB/445
• 213.74.71[.]56 – Türkiye – Superonline İletişim Hizmetleri A.Ş. – Telnet/23
• 136.0.188[.]55 – United States – EGIHOSTING – HTTP/80, HTTPS/443
• 142.111.93[.]233 – United States – EGIHOSTING – HTTP/80, HTTPS/443

The full list of 669 Niihama-sourced IPs observed in this overlap set is available on request by contacting [email protected]. Members of the WXA Internet Abuse Signal Collective have already received this report and the complete Niihama IP list via email.

NetFlow “Seen-First” Early-Warning Value

In 91 cases, IPs that later attacked the Niihama honeypot were first observed in NetFlow telemetry during the observation window from 2025-11-01 to 2026-02-04:

• Median lead time: 45.6 days
• Mean lead time: 41.7 days
• Range: 1.5 to 86.3 days
• NetFlow earliest first-seen exhibiting similar behavior: 2025-11-01 (UTC) 
• Niihama first-seen window: 2025-12-27 to 2026-02-04 (UTC)

Consolidated Takeaways

Infrastructure and exposure

• Anchor on the Netherlands exploit servers.
• Treat these IPs as high-confidence pivots.
• Expect wide, ecosystem-level exposure.

Behavior and toolchains

• Watch for multi-surface follow-on behavior.
• Track exploit toolkits, not just addresses.

Detection, hunting, and collaboration

• Operationalize flow as early warning.
• Honeypots matter early and late.

These findings cover WXA IASC telemetry and honeypot data from 2025-11-01 through 2026-02-06 and should be interpreted as a time-bounded view of a still-evolving campaign.

WXA IASC Collaboration

Special thanks to WXA IASC partners (especially Attaxion and Centinela Security) who contributed data, visibility, and analyst hours assisting this research and the Mayhem AI Corporation for honeypot research and analysis.

We are particularly interested in collaborating with:

• CERTs and national CSIRTs who can correlate these indicators with local incident data or provide PCAP/log samples involving the Netherlands exploitation IPs or ILOVEPOOP signatures.
• Enterprise defense and product teams who want to co-design detection content (e.g., HTTP/WAF rules, JA4/TLS hunting, NetFlow-based detections) for React2Shell and related toolkits.
• Threat intel and research groups who can bring additional vantage points—especially regional providers in underrepresented geographies or environments with deep ICS visibility.

To learn more about WXA IASC, gain access to full indicators of compromise, bulk data, supporting research, or collaboration on related projects, contact:

WXA Internet Abuse Signal Collective (WXA IASC)
📩 [email protected]

Ed Gibbs – VP Research, WhoisXML API
Michael Kaparos – DevSecOps; Threat Researcher, WhoisXML API
Mengchen Qu – Data Engineering, WhoisXML API
Alex Ronquillo – VP Product, WhoisXML API