← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
AI/LLM-Generated Malware Used to Exploit React2Shell
WHITE PetrP.73 2026-02-16 Modified: 2026-03-18
22
IOCs
MEDIUM VOLUME
Recent observations from Darktrace's honeypot network, "CloudyPots," highlight the use of AI-generated malware exploiting vulnerable Docker environments, specifically the Docker daemon exposed without authentication. This configuration allows attackers to discover the daemon and create containers through the Docker API, establishing initial access to the system. The central component of the intrusion was a Python payload that acted as the execution mechanism. The payload was notably obfuscated, indicating a deliberate effort to disguise its functionality. Throughout the malware sample, there was a lack of embedded spreading logic, which is typically found in Docker malware. This omission suggests that the attackers utilized a separate remote spreading tool instead.
ip addressfebruarybeyondtrustcompromisepossiblethreat researchdarktracerare externalactivityc2 serverconceptsuspiciousdocker api
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (22)
All URL CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://smplu.link/dockerzero. 2026-02-16
CVE CVE-2025-55182 2026-02-16
CVE CVE-2026-1731 2026-02-16
FileHash-MD5 02c5553a3de69f61b656a9d7d225a7a6 MD5 of b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7 2026-02-16
FileHash-MD5 141b28863cf639c0a0dd563344101f24 2026-02-16
FileHash-MD5 64a8e1b26e28ba1803e526da04382ef7 MD5 of 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b 2026-02-16
FileHash-MD5 f6498abb9d984c298b36f42cd7236c98 MD5 of d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d 2026-02-16
FileHash-SHA1 07ddc6bb5edac4e9fe5be96e7ab60eda0f9376c3 2026-02-16
FileHash-SHA1 0d3f103011c77e89bbbc15bf16c2e13278256c1d SHA1 of 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b 2026-02-16
FileHash-SHA1 28df16894a6732919c650cc5a3de94e434a81d80 2026-02-16
FileHash-SHA1 32761dfbe7ba4c22839186d341e9d6f1b896a71a SHA1 of d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d 2026-02-16
FileHash-SHA1 35da45aeca4701764eb49185b11ef23432f7162a 2026-02-16
FileHash-SHA1 b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7 2026-02-16
FileHash-SHA256 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b 2026-02-16
FileHash-SHA256 d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d 2026-02-16
FileHash-SHA256 fac2204181b99b3471f9ead751684b2beeb2846764a38c6a38e3fe39175ff373 SHA256 of b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7 2026-02-16
URL http://134.122.13.34:8979/c 2026-02-16
URL http://195.154.119.194/index.js 2026-02-16
URL http://217.76.57.78:8009/index.js 2026-02-16
domain requests.post 2026-02-16
domain smplu.link 2026-02-16
hostname avg.domaininfo.top 2026-02-16
References (1)
↗ https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell