Jackpot Panda
Jackpot Panda is a China-nexus cyber threat actor. The provided content describes it as primarily targeting entities in East and Southeast Asia, with activity likely aligned to intelligence collection priorities related to domestic security and corruption concerns. AWS reported that Jackpot Panda was among multiple China state-nexus groups observed actively exploiting CVE-2025-55182 ("React2Shell") within hours of its public disclosure on December 3, 2025, based on AWS MadPot telemetry and associated infrastructure. In this exploitation context, vendors documented deployment of post-exploitation tooling including Cobalt Strike beacons, Sliver, and Vshell backdoors by China-nexus groups including Jackpot Panda. The content also notes that attribution is complicated by shared anonymization infrastructure among Chinese threat groups, and GTIG states there are no public indicators available to assess a group relationship for Jackpot Panda. Known alias in the provided content: JackpotPanda.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
On December 5, 2025, just two days after the public disclosure of CVE-2025-55182 – a maximum-severity remote code execution vulnerability in React Server Components (RSCs) – the Sysdig Threat Research Team (TRT) recovered a novel implant from a compromised Next.js application.
Amazon threat intelligence teams observed them simultaneously exploiting other recent N-day vulnerabilities, including CVE-2025-1338.
The flaw has been tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, but Mitre... rejected the second CVE as duplicative.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Jackpot Panda is a China-linked group exploiting web application vulnerabilities for remote code execution and web shell deployment.
China-linked espionage group exploiting CVE-2025-55182 for initial access and persistence in cloud and technology sectors in APAC.
Named in an aggregated list of actors associated with React2Shell (CVE-2025-55182) exploitation activity.
Jackpot Panda is a China-linked, state-aligned threat actor observed exploiting the React2Shell vulnerability immediately after disclosure to gain access to servers and deploy additional malicious tooling.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.