REACT2SHELL: EXPLOITATION IN THE WILD

NOTE: This is not a technical breakdown of the React2Shell Vulnerability, as it’s already been covered by Trend Micro. This is currently unattributed to any known Threat Groups or APT Groups. 

During investigating React2Shell RCE Exploit (CVE-2025–55182),I came across an interesting directory where potential victims were mentioned in a file named “next_target” which includes popular names like Lululemon, Starbucks, OpenAI, etc.

• INTRODUCTION: CVE-2025–55182 [CVSS 10]
• ROOT CAUSE
• ANCHOR POINT: OPEN DIR
• CVE-2025–55182.YAML
• FINDING VICTIMS
• POTENTIAL TARGETS IDENTIFIED
• ATTACKER INFRASTRUCTURE HUNT: SEX.SH
• CVE-2025–55182 IN NEXT.JS APPS
• MONERO MINING (XMRIG): SEX.SH
• SHALLOW DECODE
• XMR WALLET ADDRESSES: REACT2SHELL EXPLOIT
• RESOLUTION
• CONCLUSION
• VICTIM LIST

This article covers the potential targets identified, along with mapping Attacker Infrastructure. 

INTRODUCTION: CVE-2025–55182 [CVSS 10]

A Pre-Authentication Remote Code Execution (RCE) vulnerability affects React Server Components in versions19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the packages:

react-server-dom-webpack
react-server-dom-turbopack 
react-server-dom-parcel

ROOT CAUSE

The flaw exists because these versions unsafely deserialize untrusted HTTP request payloads sent to Server Function (Server Actions) endpoints, allowing an unauthenticated attacker to execute arbitrary code on the server. In short, it is insecure deserialization in the React Server Components (RSC) Flight protocol.

React Server Components (RSC) and the mentioned packages improperly deserialize JSON payloads sent to Server Function endpoints. An attacker can supply a crafted payload via HTTP request — without authentication — that causes the server to execute arbitrary JavaScript code, leading to full RCE.

ANCHOR POINT: OPEN DIR

On December 4, AssetNote released a public tool called “React2Shell Scanner” to identify unpatched servers vulnerable to the React2Shell Vulnerability. Quickly, this became a Go-To tool for Cyber criminals to weaponize and find potential targets. 

While investigating React2Shell RCE, I found an Open Directory with tools like CVE-2025–55182.yaml, domains.txt, script.sh etc. 

URL: http://154.61.77.105:8082/
IP: 154.61.77.105
COUNTRY: INDIA
ASN: 135175
Organization: Facts Online Pvt Ltd

This discusses the future possible targets aggregated by a Threat Actor, which were found inside the filename “next_target”, referenced by a scanning tool present among the files in the hosting server. 

• 35,423 Domains are on the list titled “Domains”
• 596 URLs are on the list in a file titled “Next Target” including Starbucks, Porsche, Lululemon etc

NOTE: This can be confirmed as a case of Threat Actor’s Open Directory as Scanned Domains and Upcoming Potential Targets are included in the list. 

Now, let’s proceed with Victim Mapping, and then we will return to Attack Infrastructure Hunting. 

CVE-2025–55182.YAML

Here is the POC Released for React2Shell Exploit:-

While inspecting the above-codebase, an interesting use-case was found i.e., A Boundary String: WebKitFormBoundaryx8jO2oVc6SWP3Sad. This Boundary String is popularly used by Chinese Shells generally, but gained notoriety in the React2Shell Exploit. 

NOTE: A multipart/form-data boundary string is a unique marker generated by the browser to separate parts (fields and files) in HTTP file upload requests

FINDING VICTIMS

While scanning a parameter from CVE-2025–55182 YAML File, a Boundary String ”WebKitFormBoundaryx8jO2oVc6SWP3Sad”is found. It’s notable that the same is found in 708 unique hosts as per the scan of FOFA. 

One of the infected pages looks like this:-

When I queried the same parameter in Censys, it resulted in 500+ results.

As we have seen multiple results popped up for the same Boundary String. It can be concluded that the requests are being sent by a script, tool, or automated agent that reuses the same hardcoded boundary (or replays a captured request) as normal browsers never reuse the same boundary across different page loads or submissions.

It is also interesting to note that most of the identified victims are running Server: ZK Web Server. 

POTENTIAL TARGETS IDENTIFIED

While inspecting the Next Target File, a few juicy info found in this campaign:-

There are 21 Fintech Companies targeted
There are 14 Food & Beverage Companies targeted

Some of the targets includes AI Companies, Sports and Entertainment, etc. Here is the list of companies related to Fintech and Food/Bevarage in the list of Attacker:-

FINTECH
=======
ACORNS
AFTERPAY
BINANCE
BITGO
BITPANDA
BLOCKCHAIN
BYBIT
CHIME
CLEARPAY
CLOVER
COINDESK
CONSENSYS
CURRENCYCLOUD
FISERV
KUCOIN
NUBANK
PIXPAY
SWAPCARD
SYFE
UPHOLD
ZOOP.BR

FOOD
====
BISTRO.SK
BLUEAPRON
IFOOD
JUST-EAT
KINDER
LIEFERANDO
STARBUCKS
TAKEAWAY
TASTY REWARDS
THINK GLOBAL HEALTH
TROUW
SMARTSHOP
SKIPTHEDISHES
ZAPKA

Apart from this, there are other companies listed, such as Lululemon, Porsche, OpenAI, etc. 

The whole IOCs can be found at the end of this article, tagged as Victim IPs. 

ATTACKER INFRASTRUCTURE HUNT: SEX.SH

While hunting for React2Shell Exploit, I came across a common pattern where a file is named as sex.sh which is used for Cryptomining by Attackers (XMRIG), along with React2Shell Exploit. This is documented by multiple Security Companies like Data Dog and Huntress. 

Upon focusing on sex.sh, I came across a few hosts where this file/config resides:-

177.84.130.195
209.141.49.251
185.126.82.162
212.69.85.41
45.13.227.97
45.153.34.41
196.251.66.201
38.85.206.203
217.60.248.193
16.16.83.161
40.113.172.145
54.178.19.122
209.141.49.251
68.178.168.171
52.252.226.14
180.210.220.54

These are the potential IPs that host Monero (XMR) Mining along with React2Shell Exploit. 

Here are the WHOIS details of the above-listed IPs.

Most of them are geo-located to different countries, hence making them unique entries. Only ASN8075 is getting repeated twice.

Here are the command instructions found in the sex.sh file:

MD5: ddbbd528c3d0bcdd39617676c85dde33
Active Since: 15th October 2025
IP: 209.141.49.251

There are multiple sex.sh files found and the above one is just an example of one such file found. The commands and codes vary in various files. It’s covered in the coming section.  

CVE-2025–55182 IN NEXT.JS APPS

Upon scanning for script.sh (from the Open Directory), found the following command:-

waybackurls $1 | grep “_next/static” | cut -d “/” -f1,2,3 | sort -u | uniq | tee -a next_target.txt

This command is a common one-liner used in bug bounty hunting and web application reconnaissance to discover potentially interesting domains/subdomains of a target that are running Next.js applications by mining historical URLs from the Wayback Machine. 

MONERO MINING (XMRIG): SEX.SH

During a deepdive, multiple “sex.sh” files were found with different Monero Wallets. 

One of them looks like this:-

SHALLOW DECODE

Let’s decode a 4-line command from the above snippet, just to make sure what it really does:-

TAR_FILE="kal.tar.gz"
EXTRACT_DIR="xmrig-6.24.0"
SERVICE_NAME="system-update-service"
ARGS="--url pool.supportxmr.com:8080 --user 89Zr4vPaS8yTYRQE54tK1QGKRpsYZ6eJJYynfpfBf1zmLHECaskMPwd3wuTnQ4SYQ7QLkwVN8ur2QTQi9wkKMaCr2iXKa7j --pass sx --donate-level 0"
SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"

Let’s break down each parameter:-

pool.supportxmr.com:8080 → A real, public Monero mining pool (SupportXMR)
Wallet address → 89Zr4vPaS8yTYRQE54tK1QGKRpsYZ6eJJYynfpfBf1zmLHECaskMPwd3wuTnQ4SYQ7QLkwVN8ur2QTQi9wkKMaCr2iXKa7j
Password: sx → Just a worker/rig identifier (sex.sh reference here)
--donate-level 0 → Disables XMRIG's built-in dev donation (normally 1%)

SERVICE_FILE="/etc/systemd/system/system-update-service.service"
This script creates a fake systemd service called “system-update-service” that runs the miner in the background and auto-starts on boot

It’s a malicious Linux persistence script commonly used by cryptomining botnets.

XMR WALLET ADDRESSES: REACT2SHELL EXPLOIT

While mapping Exploit with XMR Mining activities, 4 Monero Wallets found:-

8BWy7pgane96sLATF7nESM4ehZEtYAFNpYFAm88zftVsJ5jxFBdGVBrd1igptedXejfomPEpJvGUKU1etmkNBXmU5HkPR6e: http://40.113.172.145/EdgeConsulting/frontend/sex.sh

85UXW36JS78ZzZUw4XRJ1mHEsMAc6vHr2hBU7rvRv9y44Uk4Vo9fyq6LFDuckHZb2HTZpcYYaDdd73jS1oywAndGJxmKP9X: http://48.216.241.15/newsite/sex.sh.2

88tGYBwhWNzGesQs5QkwE1PdBa1tXGb9dcjxrdwujU3SEs3i7psaoJc4KmrDvv4VPTNtXazDWGkvGGfqurdBggvPEhZ43DJ: http://177.84.130.195/sex.sh

89Zr4vPaS8yTYRQE54tK1QGKRpsYZ6eJJYynfpfBf1zmLHECaskMPwd3wuTnQ4SYQ7QLkwVN8ur2QTQi9wkKMaCr2iXKa7j: http://177.84.130.195/sex.sh.2

There could be more Sex.sh files which are NOT related to React2Shell Exploit. This can be confirmed while tracing their modified/uploaded date in the directory. 

NOTE: Most of the SEX.sh files are uploaded/hosted in 5th December 2025. However the earliest file can be traced to October 2025, which we have covered earlier in this Research. 

RESOLUTION

As per NextJS.org , the following versions are patched:

15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7

If you are running a vulnerable component in your production, you are advised to patch it soon, before your CPU Usage goes top for Cryptomining activities.

CONCLUSION

The IOCs discussed in this Article shall be included to your SOC Environment for potentially flagging any traffic that (originates/destined) attempts to make any engagement. 

This is a use case of locating Attacker Server with Cryptomining activities and Boundary String recorded. Once we find more parameters used by Threat Actors while exploiting React2Shell, those shall be included in this article. 

IOC: VICTIM LIST 

This is a list of Victims aggregated from multiple scanner results of Boundary String: WebKitFormBoundaryx8jO2oVc6SWP3Sad.

It could be genuine victims as well as Honeypot Set-Up for Threat Actor Interaction.

Based on BOUNDARY STRING
========================
113.169.34.152
118.69.133.148
14.180.241.218
14.241.224.72
123.23.65.83
113.161.78.97
14.224.213.77
123.31.109.0
123.23.37.19
113.161.149.15
113.188.27.0
116.106.153.209
14.224.228.111
113.161.40.16
14.237.194.235
14.184.127.207
115.76.99.3
118.68.145.227
113.165.114.5
14.232.210.90
113.174.171.82
117.7.227.87
115.74.52.134
171.247.164.125
183.80.229.162
123.19.71.114
113.177.115.29
171.255.195.154
27.78.204.42
222.255.206.191
116.109.26.195
27.74.245.28
14.177.64.69
14.164.65.102
118.71.173.34
171.227.73.35
1.53.122.55
113.176.101.203
113.164.80.83
117.2.243.78
14.241.254.9
113.183.63.160
171.252.121.187
27.78.194.138
1.53.204.241
14.161.48.14
171.239.124.132
42.118.11.27
117.0.0.182
42.112.190.191
14.241.243.138
27.64.203.25
1.54.216.27
42.119.152.222
14.247.20.245
14.164.200.150
171.248.171.81
123.26.81.97
103.88.123.187
1.55.158.125
196.219.81.67
197.44.212.133
196.218.59.242
197.44.142.234
41.38.8.176
41.153.25.179
196.221.167.175
196.219.109.187
197.44.248.123
197.44.194.66
41.130.144.234
196.219.109.109
197.44.222.90
196.221.36.213
196.219.91.243
41.38.39.163
102.41.218.166
41.38.25.163
62.114.120.189
102.190.197.173
197.44.193.226
196.219.130.194
213.212.200.78
41.196.213.226
156.204.112.170
196.221.36.219
41.152.181.165
41.38.184.191
154.180.160.3
41.33.228.115
41.65.182.227
197.199.252.93
41.155.191.45
196.219.124.18
196.219.129.3
41.38.207.241
196.151.246.185
196.218.112.184
196.221.166.234
41.152.181.172
41.152.181.171
41.33.228.114
41.178.166.66
196.135.192.59
41.38.66.205
41.38.121.93
196.219.163.4
82.129.145.77
197.44.116.171
41.38.152.181
197.44.49.242
196.218.56.170
197.44.102.211
196.218.194.165
41.32.4.228
196.218.58.149
197.44.111.114
41.32.53.76
41.155.213.77
41.38.51.138
46.210.93.73
176.12.164.70
176.12.163.250
2.54.237.68
130.185.96.75
109.253.5.229
46.210.86.177
2.54.232.199
46.210.104.96
85.159.164.217
46.210.117.104
195.133.156.107
80.250.154.93
46.210.126.111
80.250.155.90
46.210.109.93
82.102.166.174
82.102.189.120
46.210.110.149
82.102.188.142
109.67.137.238
109.253.3.207
46.210.113.204
2.55.72.6
31.168.31.76
194.90.217.166
95.35.26.78
82.102.188.190
95.35.27.143
2.55.72.76
46.210.96.213
46.210.112.212
109.253.242.229
176.12.128.83
2.55.68.241
31.168.219.113
46.210.110.123
95.35.24.18
109.253.1.140
2.55.65.76
46.210.105.188
95.35.27.43
176.12.133.209
2.54.237.226
185.32.179.80
176.12.163.72
46.210.99.219
95.86.85.118
2.55.111.200
46.210.114.177
95.35.25.13
46.210.96.96
2.55.70.151
46.210.105.12
95.35.50.24
109.253.1.195
95.35.31.243
46.210.95.217
2.55.79.45
95.35.31.231
188.59.2.169
5.26.228.116
178.242.137.3
178.242.103.252
5.26.205.118
188.59.129.192
178.242.138.22
5.26.203.199
5.26.140.33
5.11.169.126
178.242.78.245
188.59.52.68
188.38.159.214
178.242.47.204
5.26.64.201
5.26.64.198
5.26.184.209
178.242.17.85
178.242.9.200
5.26.214.130
178.242.63.0
178.242.24.66
5.26.230.69
188.38.26.65
5.26.230.48
5.26.236.158
178.242.70.25
5.26.213.217
5.26.235.250
178.242.6.50
5.26.194.40
5.26.255.229
31.141.250.196
5.26.153.30
5.26.132.101
5.11.147.147
5.26.56.74
5.26.200.164
5.26.87.245
188.38.194.139
188.38.142.116
46.104.89.246
46.104.89.194
46.104.89.199
46.104.89.236
46.104.89.250
46.104.89.215
46.104.89.248
46.104.89.198
46.104.89.202
46.104.89.232
46.104.89.201
46.104.89.237
46.104.89.35
182.187.137.24
203.99.190.78
101.53.236.19
182.180.57.119
101.53.240.71
182.191.91.141
182.184.63.172
203.99.174.201
182.176.160.214
202.59.94.77
110.39.11.254
182.191.78.40
110.39.2.244
182.184.59.151
115.186.180.114
121.52.159.242
119.153.108.176
27.54.120.125
203.135.0.89
203.135.0.91
182.184.30.76
182.191.114.189
119.73.111.123
203.135.58.75
182.180.104.189
103.48.0.38
182.184.67.171
210.56.20.116
182.189.22.89
110.39.25.99
182.191.75.135
119.153.100.212
203.135.51.69
223.123.45.211
223.123.45.213
182.180.106.177
34.215.32.57
52.42.179.192
35.172.63.58
47.190.63.246
52.11.72.211
107.181.12.128
47.183.209.26
100.22.111.223
198.0.79.93
34.197.209.46
96.30.161.80
24.231.82.84
209.196.239.228
52.60.214.5
15.222.166.156
190.104.233.50
190.122.183.205
186.182.59.9
190.174.96.201
190.123.102.132
190.18.79.86
186.56.31.33
170.78.192.126
190.183.238.92
200.110.167.114
197.79.24.16
196.192.91.26
196.192.92.18
41.246.163.183
195.97.50.86
2.87.150.173
62.74.200.87
88.213.140.86
176.114.231.17
46.23.180.233
93.241.232.226
79.227.201.215
87.79.95.101
52.28.223.153
93.215.222.90
18.198.146.9
18.194.2.53
18.194.2.53
217.91.39.102
84.164.196.1
79.205.116.228
87.79.95.169
164.68.125.227
93.221.211.220
79.210.202.221
35.157.246.217
37.82.132.59
46.16.223.46
79.252.93.170
79.248.190.210
3.65.86.226
3.6.167.48
103.55.91.65
3.6.167.48
13.127.88.231
122.160.44.225
13.234.52.47
122.160.66.183
45.116.207.73
13.126.127.15
182.252.67.134
122.201.137.1
61.216.55.109
61.219.33.45
220.128.131.33
211.20.50.43
114.34.50.27
220.246.38.36
58.153.40.208
122.117.99.236
59.125.62.144
122.201.165.84
203.74.126.164
122.116.103.107
14.0.131.231
211.20.32.90
203.74.133.59
220.130.157.102
211.75.155.5
61.216.55.110
118.163.33.79
61.218.239.243
61.60.148.98
117.56.147.146
219.76.188.66
220.130.222.248
124.70.74.79
118.163.177.50
61.222.103.41
211.75.151.155
60.249.3.208
52.65.231.232
52.64.137.242
13.238.166.100
185.95.124.111
81.60.217.94
80.27.84.52
37.13.128.226
83.48.186.228
81.60.217.161
176.82.253.178
81.60.217.143
81.60.9.34
185.44.26.209
81.60.217.98
81.60.217.136
95.124.252.58
77.228.67.173
78.38.17.186
217.219.159.191
185.229.31.181
185.109.61.231
2.187.35.67
2.184.157.98
78.39.220.51
78.39.134.44
188.212.247.19
31.25.95.67
217.219.159.155
2.184.158.159
77.104.126.224
89.42.69.74
80.191.192.153
80.191.192.161
78.39.220.35
46.167.131.239
217.219.131.241
185.142.92.47
95.38.96.158
5.106.16.216
5.106.16.209
217.219.131.62
31.25.92.195
85.185.245.19
2.187.36.208
2.144.246.26
176.178.134.208
194.32.76.36
95.210.201.7
165.220.206.136
176.178.150.164
164.68.125.227
165.220.222.16
165.220.203.54
165.220.205.27
169.155.248.115
165.220.213.146
165.220.212.44
92.180.160.102
165.220.206.72
165.220.204.41
165.220.204.66
165.220.204.41
178.144.114.45
178.145.35.209
178.117.106.179
46.178.1.175
46.178.20.41
46.178.42.147
87.103.85.26
188.82.190.223
122.155.41.212
122.155.41.211
87.246.4.23
92.62.231.134
135.181.150.19
189.36.201.154
62.74.160.126
62.74.160.127
62.74.160.124
62.74.160.125
182.23.11.147
36.90.147.98
113.212.112.13
103.126.172.158
36.76.126.240
103.159.116.174
36.76.116.209
110.139.200.30
36.70.234.6
103.135.51.186
182.23.20.116
158.140.173.156
103.87.228.232
103.165.215.213
180.243.125.7
103.133.71.237
103.53.184.122
36.88.99.58
103.135.49.187
36.88.163.77
180.214.246.154
36.95.233.83
203.30.236.104
36.69.50.208
103.184.181.206
36.80.180.165
115.85.65.18
182.253.195.51
182.253.111.26
182.253.217.237
203.171.216.58
36.64.243.159
125.166.91.41
116.12.44.13
41.251.114.99
197.253.130.154
41.143.110.215
105.155.237.238
160.176.110.10
41.251.251.47
196.223.116.3
196.223.116.4
196.223.115.5
196.223.119.34
196.223.120.4
88.213.106.51
2.89.135.231
143.92.227.86
178.81.228.152
130.164.158.122
34.246.52.35
52.17.44.125
62.133.73.157
89.200.101.170
41.90.111.26
197.136.38.16
52.192.115.185
46.141.89.193
89.96.137.194
2.42.204.232
185.178.252.245
93.147.10.212
186.74.162.174
200.46.126.59
186.188.200.108
190.141.68.247
190.33.221.253
201.218.218.126
181.197.92.140
122.3.88.105
180.232.104.169
116.50.217.125
58.69.155.111
116.50.253.230

URLs (Based on Next_Target Attacker File)
=========================================
https://help.acorns.com
https://support.acorns.com
https://support.acorns.com:443
https://inscription.pixpay.fr
https://corporate.afterpay.com
https://newsroom.afterpay.com
https://placement-api.afterpay.com
https://placement-api.sandbox.afterpay.com
https://placement-api.us.afterpay.com
https://placement-api.us-sandbox.afterpay.com
https://portal-sandbox.afterpay.com
https://portal.sandbox.afterpay.com
https://www.afterpay.com
https://placement-api.clearpay.co.uk
https://placement-api-sandbox.clearpay.co.uk
https://portal.clearpay.co.uk
https://portal.sandbox.clearpay.co.uk
https://www.clearpay.co.uk
https://www.clearpay.co.uk:443
https://www.clearpay.com
https://portal.clearpay.co.uk
https://help.acorns.com
https://support.acorns.com
https://support.acorns.com:443
https://inscription.pixpay.fr
https://corporate.afterpay.com
https://newsroom.afterpay.com
https://placement-api.afterpay.com
https://placement-api.sandbox.afterpay.com
https://placement-api.us.afterpay.com
https://placement-api.us-sandbox.afterpay.com
https://portal-sandbox.afterpay.com
https://portal.sandbox.afterpay.com
https://www.afterpay.com
https://placement-api.clearpay.co.uk
https://placement-api-sandbox.clearpay.co.uk
https://portal.clearpay.co.uk
https://portal.sandbox.clearpay.co.uk
https://www.clearpay.co.uk
https://www.clearpay.co.uk:443
https://www.clearpay.com
https://portal.clearpay.co.uk
https://status.aiven.io
https://news.anytask.com
https://marketplace.auth0.com
https://play.fga.dev
https://jwt.io
https://www.jwt.io
https://data-analytics.tools.auth0.net
https://dev.vm.auth0.net
https://support.digitalplayground.com
https://support.transangels.com
https://static.binance.us
https://www.binance.us
https://app.bitgo.com
https://app.bitgo-test.com
http://bitpanda.com
https://coach.bitpanda.com
https://raiffeisen.bitpanda.com
https://www.bitpanda.com
http://bitso.com
https://bitso.com
https://stage.bitso.com
http://www.bitso.com
http://blockchain.com
https://exchange.blockchain.com
https://login.blockchain.com
https://prod.blockchain.com
https://status.blockchain.com
https://www.blockchain.com
https://www.blockchain.com.
http://www.blockchain.com
https://assets.blog-frontend.bolt.eu
https://assets.careers-v3.bolt.eu
https://assets.homepage.bolt.eu
https://food.bolt.eu
https://trust.bugcrowd.com
https://bullish.com
https://uat.carrefouruae.com
https://www.carrefouruae.com
https://static.thinkglobalhealth.org
https://www.thinkglobalhealth.org
https://app.chime.com
https://docs-dev5.chime.com
https://app.chime.com
https://student.classdojo.com
https://home.classdojo.com
https://home-static.classdojo.com
https://ideas.classdojo.com
https://security.classdojo.com
https://student.classdojo.com
https://student-static.classdojo.com
https://teach.classdojo.com
https://teach-static.classdojo.com
https://tutor.classdojo.com
https://tutoring.classdojo.com
https://www.marketplace.classdojo.com
https://home.classdojo.com
https://adhoc-bugcrowd.cdn-code.org
https://cms.coindesk.com
https://hotfix.coindesk.com
https://indices.coindesk.com
https://staging.coindesk.com
https://todayincrypto.coindesk.com
https://www.coindesk.com
https://a11y.ecom.np.digital.business.comcast.com
https://static.digital.business.comcast.com
https://static.np.digital.business.comcast.com
https://sports.ladbrokes.com
https://www.ladbrokes.com
https://sports.coral.co.uk
https://www.coral.co.uk
https://cf-frontend-qa.mgm-svod.projects.epam.com
https://vercel.int-aqm.hca.azure.epmc-stc.projects.epam.com
https://vercel.qa-aqm.hca.azure.epmc-stc.projects.epam.com
https://beta.fivetran.com
https://fivetran.com
https://trust.fivetran.com
http://cart.hostgator.com.br
https://cart.hostgator.com.br
https://checkout.hostgator.com.br
https://www.hostgator.com.br
http://www.hostgator.com.br
http://ifood.com.br
http://parceiros.ifood.com.br
https://389burger.ifood.com.br
https://app.ifood.com.br
https://atlantico.ifood.com.br
https://bapi.ifood.com.br
https://beneficios.ifood.com.br
https://benefits-microfronts.ifood.com.br
https://billythegrill.ifood.com.br
https://brand.ifood.com.br
https://brasileirinho.ifood.com.br
https://bupaqe.ifood.com.br
https://carreiras.ifood.com.br
https://chinadifang.ifood.com.br
https://conhecaonext.ifood.com.br
https://cristal.ifood.com.br
https://dahora.ifood.com.br
https://empresas-app.ifood.com.br
https://espetoseciadelivery.ifood.com.br
https://feiticomineiro.ifood.com.br
https://homolog.ifood.com.br
https://johnnieburger.ifood.com.br
https://labs.ifood.com.br
https://loja.ifood.com.br
https://marvin.ifood.com.br
https://menu.ifood.com.br
https://news.ifood.com.br
https://nws.ifood.com.br
https://parceiros.ifood.com.br
https://picanhariavieiralves.ifood.com.br
https://pizzadelivery.ifood.com.br
https://pizzariadonnamia.ifood.com.br
https://privacidade.ifood.com.br
https://revo-lucaodelivery.ifood.com.br
https://separador.ifood.com.br
https://shop.ifood.com.br
https://sira.ifood.com.br
https://site.ifood.com.br
https://web-middleware.ifood.com.br
https://ww.ifood.com.br
https://www.ifood.com.br
https://www.news.ifood.com.br
https://www.pop.ifood.com.br
https://wwww.ifood.com.br
http://www.ifood.com.br
https://shop.ifood.com.br
https://www.zoop.com.br
https://passport.immutable.com
https://auth.immutable.com
https://hub.immutable.com
http://play.immutable.com
https://play.immutable.com
http://market.immutable.com
https://market.immutable.com
https://aeris.irobot.at
https://aeris.irobot.de
https://pay.thuisbezorgd.nl
https://www.thuisbezorgd.nl
http://www.thuisbezorgd.nl
https://pay.menulog.com.au
https://www.menulog.com.au
https://assets.takeaway.com
https://pay.takeaway.com
https://www.takeaway.com
http://www.takeaway.com
https://staging.skipthedishes.com
https://www.skipthedishes.com
https://pay.just-eat.dk
https://www.just-eat.dk
http://www.just-eat.dk
https://pay.lieferando.de
https://www.lieferando.de
http://www.lieferando.de
https://pay.pyszne.pl
https://www.pyszne.pl
http://www.pyszne.pl
https://www.bistro.sk
https://pay.just-eat.es
https://www.just-eat.es
http://www.just-eat.es
https://pay.just-eat.co.uk
https://www.just-eat.co.uk
https://www.just-eat.co.uk:443
http://www.just-eat.co.uk
https://pay.just-eat.ch
https://www.just-eat.ch
http://www.just-eat.ch
https://www.10bis.co.il
https://www.designify.com
https://docs.keeper.io
https://assets-sdb.kucoin.com
https://assets-v2.kucoin.com
https://sandbox.kucoin.com
https://www.kucoin.com
https://blog.lastpass.com
https://run.li.me
https://linktree.com
https://qa.tr.ee
https://tr.ee
http://odesli.co
https://odesli.co
https://staging.odesli.co
http://song.link
https://song.link
https://staging.song.link
http://album.link
https://album.link
http://artist.link
https://artist.link
https://pods.link
https://playlist.link
https://mylink.page
https://fr.shop.lululemon.com
https://shop.lululemon.com
https://www.thatconceptstore.com
https://uat.lego.me
https://dev.psychobunny.me
https://pre-prod.psychobunny.me
https://www.psychobunny.me
https://cards-dev.sharerewards.com
https://connect.priceless.com
https://hotelbookings.priceless.com
https://music.priceless.com
https://www.priceless.com
https://handbook.mattermost.com
https://infinityart-id.mgm.mo
https://staff.monash
https://chat.governmentjobs.com
https://www.northwesternmutual.com
http://www.northwesternmutual.com
http://blog.nubank.com.br
http://nubank.com.br
https://app.nubank.com.br
https://blog.nubank.com.br
https://conta.nubank.com.br
https://nubank.com.br
https://www.nubank.com.br
https://explorer.api.openai.com
http://chat.openai.com
https://chat.openai.com
https://dev.gx.games
https://dev.sandbox.gx.games
https://gx.games
https://sandbox.gx.games
https://v.gx.games
https://www.realcommercial.com.au
http://rec.net
https://rec.net
https://www.rec.net
https://blog.sendbird.com
https://demos.sendbird.com
https://desk.sendbird.com
https://docs.sendbird.com
http://sendbird.com
https://m.sendbird.com
https://sendbird.com
https://brand.sophos.com
http://artists.soundcloud.com
https://artists.soundcloud.com
http://newsroom.sprint.com
https://es.e2e.smartshop.t-mobile.com
https://es.t-mobile.com
https://iotusermanager.t-mobile.com
https://ml.t-mobile.com
https://security.t-mobile.com
https://www.t-mobile.com
http://www.t-mobile.com
https://player-login.unity.com
https://accounts.clay.earth
https://clay.earth
https://library.clay.earth
https://www.clay.earth
https://cyber.info
https://status.cyber.info
https://trust.cyber.info
https://insights-netlify.mobileaction.co
https://insights-netlify.searchads.com
https://resume.nanonets.com
https://mario.kinder.com
https://www.kinder.com
https://my.mimeridian.com
http://eu.front-edge.dust.tt
https://blog.dust.tt
https://docs.dust.tt
https://dust.tt
https://dust.tt.
https://dust.tt:443
https://eu.dust.tt
https://eu.front-edge.dust.tt
https://front-edge.dust.tt
https://front-qa.dust.tt
https://front-qa.dust.tt:443
https://viz.dust.tt
https://www.dust.tt
https://xp1.dust.tt
https://www.app.whoop.com
https://trust.hex.tech
https://app.chatspot.ai
https://chatspot.ai
http://arc.net
https://arc.net
https://manual.arc.net
https://search.arc.net
https://start.arc.net
https://public.diabrowser.com
https://www.diabrowser.com
https://www.thebrowser.company
https://about.thescore.bet
https://about.hollywoodcasino.com
https://hollywoodcasino.com
https://pennplaycasino.com
https://www.pennplaycasino.com
https://about.thescore.bet
https://thescore.bet
https://console.neon.tech
https://af.bumba.global
https://bgs2025.bumba.global
https://bgs-sandbox.bumba.global
https://bumba.global
https://cart.starbucks.co.jp
https://cart.starbucks.co.jp
https://cart.starbucks.co.jp
https://stories.starbucks.co.jp
https://compare.porsche.com
https://configurator.porsche.com
https://connect-store.porsche.com
https://finder.porsche.com
https://myhistory.porsche.com
https://press.porsche-design.com
https://www.null-leasing.com
http://www.null-leasing.com
https://areariservata.subito.it
https://inserimento.subito.it
https://static-www.subito.it
https://www.subito.it
http://www.subito.it
https://www.automobile.it
http://www.automobile.it
https://genos-adit.gw.coches.net
https://www.fotocasa.es
https://uat-bugbounty.nonprod.syfe.com
https://uat-bugbounty.nonprod.syfe.com
https://www.syfe.com
http://www.syfe.com
https://rewards.bubly.com
https://crackerjill.com
https://www.crackerjill.com
https://www.fritolayvarietypacks.com
https://www.getsoulboost.com
https://www.lifewtr.com
https://www.pantryshop.com
https://passport.pepsidigin.com
https://www.pepsidigin.com
https://www.pureleaf.com
https://www.refreshthenrecycle.com
https://shop.tastyrewards.com
https://bal.nba.com
https://cdn-bal.nba.com
http://cdn.nba.com
https://cdn.nba.com
https://dream.wnba.com
https://fever.wnba.com
https://fire.wnba.com
https://aguacaliente.gleague.nba.com
https://austin.gleague.nba.com
https://birmingham.gleague.nba.com
https://bluecoats.gleague.nba.com
https://capitalcity.gleague.nba.com
https://capitanes.gleague.nba.com
https://cleveland.gleague.nba.com
https://cpskyhawks.gleague.nba.com
https://detroit.gleague.nba.com
https://fortwayne.gleague.nba.com
https://gleague.nba.com
https://grandrapids.gleague.nba.com
https://greensboro.gleague.nba.com
https://ignite.gleague.nba.com
https://iowa.gleague.nba.com
https://lakeland.gleague.nba.com
https://longisland.gleague.nba.com
https://maine.gleague.nba.com
https://memphis.gleague.nba.com
https://noblesville.gleague.nba.com
https://oklahomacity.gleague.nba.com
https://ontario.gleague.nba.com
https://osceola.gleague.nba.com
https://raptors905.gleague.nba.com
https://riograndevalley.gleague.nba.com
https://ripcity.gleague.nba.com
https://saltlakecity.gleague.nba.com
https://sandiego.gleague.nba.com
https://santacruz.gleague.nba.com
https://siouxfalls.gleague.nba.com
https://southbay.gleague.nba.com
https://stockton.gleague.nba.com
https://texas.gleague.nba.com
https://valley.gleague.nba.com
https://westchester.gleague.nba.com
https://windycity.gleague.nba.com
https://wisconsin.gleague.nba.com
https://lynx.wnba.com
https://trustcenter.itau-unibanco.com.br
https://developer.itau.com.br
https://devportal.itau.com.br
https://hml-next.itaucultural.org.br
https://www.itaucultural.org.br
https://conta.iti.itau
https://iti.itau
https://viagens.iupp.com.br
https://wallet.tg
https://portal.singlestore.com
https://portal.singlestore.com
https://blog.23andme.com
https://mediacenter.23andme.com
https://amfacturacion.aeromexico.com
https://aeromexico.com
https://amfacturacion.aeromexico.com
https://autos.aeromexico.com
https://portalfacturacionelectronica.aeromexico.com
https://www.aeromexico.com
https://www.aeromexicobusiness.com
http://www.aeromexicobusiness.com
https://vuelaconpuntos.aeromexicorewards.com
https://affiliates.bybit.com
https://affiliates-testnet.bybit.com
https://announcement.bybit.com
https://announcements.bybit.com
https://blog.bybit.com
https://campaigns.bybit.com
https://d.bybit.com
https://learn.bybit.com
https://learn-temp.bybit.com
https://orbrchampions2023.bybit.com
https://testnet-announcements.bybit.com
https://testnet.bybit.com
https://testnet-newblog.bybit.com
https://www.bybit.com
http://www.bybit.com
https://www.byreal.io
https://www.blueapron.com
http://www.blueapron.com
https://app.tastemade.com
https://shop.tastemade.com
https://www.tastemade.com
https://assets.seamless.com
https://developer.currencycloud.com
https://careers.cardinalcommerce.com
https://developer.currencycloud.com
https://boss-dtgui-ut.brightspeed.com
https://boss-lrgui-e2e.brightspeed.com
https://brspdpr.brightspeed.com
https://brspdqa2.brightspeed.com
https://brspduat2.brightspeed.com
https://fiber.brightspeed.com
https://account.resmed.com
https://prod.solar.omnitrope.ca
https://prod.solar.pro.omnitrope.ca
https://www.omnitrope.ca
https://www.pro.omnitrope.ca
https://www.simplyhired.fr
https://rollup.moov.io
https://status.moov.io
https://alumni.wf.com
https://entertainment.wf.com
https://welcome.wf.com
https://weatherfold4s50-100calculator.brio.com.au
https://weatherfold-calculator.brio.com.au
http://weatherfold4s50-100calculator.brio.com.au
https://mmm.marabou.se
http://auth.khealth.com
https://auth.khealth.com
https://www.jetblue.com
https://ch-cs.fiservapps.com
https://capital.clover.com
https://storefront.dev.clover.com
https://www.clover.com
https://www.eu.clover.com
https://dev-app.agrisync.com
https://johndeeretechinfo.com
https://www.johndeeretechinfo.com
https://servicecenter.deere.com
https://consensys.io
https://ethereum-values.consensys.io
http://culture.on.com
https://culture.on.com
https://paystack.shop
https://arcgiscenter.cbre.eu
https://www.docsend.com
http://app.reclaim.ai
https://app.reclaim.ai
https://boba-vercel-dev.btc.hrs.com
https://checkin.hrs.com
https://dealalarm.hrs.com:443
https://iut-www.hrs.com
https://www.hotel-audit.hrs.com
https://www.hrs.com
http://www.hrs.com
https://webwinkel.parool.nl
https://mailing.kuleuven.be
https://persdienst.kuleuven.be
https://shop.humo.be
https://mijnomgeving.humo.be
https://shop.humo.be
https://www.humo.be
https://assets.cdn.personio.de
https://marketplace.personio.de
https://personio.de
https://www.marketplace.personio.de
https://www.personio.de
http://www.personio.de
https://webwinkel.trouw.nl
http://webwinkel.trouw.nl
https://pers.uzleuven.be
https://portal.enterprise.uphold.com
https://app.topperpay.com
https://cdn.uphold.com
https://portal.enterprise.sandbox.uphold.com
https://portal.enterprise.uphold.com
https://uphold.com
https://communicatie.sporza.be
https://www.vtmgo.be
https://connect.venly.io
https://static.veriff.com
https://veriff.com
https://www.veriff.com
https://delio.com.pl
https://dietly.pl
https://admin.packush.lite.tech
https://bink.lite.tech
https://woshwosh.zabka.pl
http://intigriti.com
https://blog.intigriti.com
https://www.intigriti.com
https://www.bookbeat.com
http://www.bookbeat.com
https://lebar.sncf-connect.com
https://lebistro.tgvinoui.sncf-connect.com
https://restaurationabord.sncf-connect.com
https://www.sncf-connect.com
http://www.sncf-connect.com
https://lebar.sncf-connect.com
https://lebistro.tgvinoui.sncf-connect.com
https://restaurationabord.sncf-connect.com
https://www.sncf-connect.com
http://www.sncf-connect.com
https://doc.demarches-simplifiees.fr
https://gap.citizenportal-test.bugbounty.akinox.dev
http://1000-premiers-jours.fr
https://www.1000-premiers-jours.fr
http://www.1000-premiers-jours.fr
https://fam.mangerbouger.fr
https://recette-fam.mangerbouger.fr
https://www.mangerbouger.fr
https://spacelift.dev
https://studio.swapcard.com
http://studio.swapcard.com
https://blackhat.team.swapcard.com
https://blueinvestday2021.team.swapcard.com
https://careshows.team.swapcard.com
https://closerstilltech.team.swapcard.com
https://eabf.team.swapcard.com
https://eu.team.swapcard.com
https://gdconf.team.swapcard.com
https://interseclive365.team.swapcard.com
https://jaarbeurszakelijk.team.swapcard.com
https://liberdigital.team.swapcard.com
https://liveconnect.team.swapcard.com
https://npevirtual.team.swapcard.com
https://nynow.team.swapcard.com
https://rice.team.swapcard.com
https://team.swapcard.com
https://tms.team.swapcard.com
https://xcom.team.swapcard.com

If any of the above listed IPs are of Honeypots set-up by you, feel free to reach out to me to de-list them or make me aware about it. 

To get the complete list of Domains/URLs/IPs, please refer to my GitHub Repo here. 

NOTE: The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.

Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings!