JuicyPotato
JuicyPotato is a Windows privilege-escalation tool used post-compromise to abuse token impersonation, specifically the SeImpersonate privilege, to execute commands with elevated rights and often obtain NT AUTHORITY\SYSTEM. The content directly associates it with escalation from low-privilege service contexts such as web application pool accounts and MS-SQL service processes. It is repeatedly described as a tool commonly used by Chinese-speaking threat actors and has been observed in operations attributed or linked to UAT-7237, Blue Mockingbird, and activity assessed with moderate confidence as Gelsemium-related. Reported use cases include command execution on endpoints and privilege-escalation attempts as part of the broader Potato Suite alongside BadPotato, SweetPotato, and GodPotato. In the cited intrusions, JuicyPotato was deployed after initial access through exploitation of internet-facing services or valid access to exposed systems, including exploitation of CVE-2019-18935 in Telerik UI for ASP.NET AJAX by Blue Mockingbird, compromise of unpatched internet-exposed servers by UAT-7237, attacks on exposed MS-SQL servers followed by CoinMiner and XiebroC2 deployment, and exploitation of SAP NetWeaver Visual Composer vulnerability CVE-2025-31324 where JuicyPotato or SweetPotato was downloaded from suspicious external infrastructure. High-confidence indicators and contextual artifacts mentioned in the content include execution under the filename j.exe as part of Potato Suite, association in one report with delivery from 23.95.123[.]5:666, and repeated observation alongside tooling such as Cobalt Strike, Mimikatz, SoftEther VPN, XMRIG, and XiebroC2 depending on the intrusion set.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"JuicyPotato, a privilege escalation tool popular with Chinese-speaking hackers, is another malware that UAT-7237 uses..."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
4 techniquesThey also use JuicyPotato for privilege escalation and modify Windows settings, like disabling UAC and enabling cleartext password storage.
Token Kidnapping consists in opening another process and then bruteforcing the open Handles by duplicating them inside the current process. For each valid Handle, we check whether it’s a Handle to a Token... If we find a valid Token Handle, we must check the following: The corresponding account is SYSTEM? Is it an Impersonation token? The Impersonation Level of the token is at least Impersonation?... once you’ve found a proper impersonation token, you can duplicate it and use the Windows API to create a process as NT AUTHORITY\SYSTEM.
CreateProcessWithToken() - This function requires the SeImpersonatePrivilege privilege, which is enabled by default (for the LOCAL SERVICE account). As an input, it requires a Primary token... As a conclusion, we have the appropriate privileges to impersonate NT AUTHORITY\SYSTEM.
They also use JuicyPotato for privilege escalation and modify Windows settings, like disabling UAC and enabling cleartext password storage.
Stealth
2 techniquesToken Kidnapping consists in opening another process and then bruteforcing the open Handles by duplicating them inside the current process. For each valid Handle, we check whether it’s a Handle to a Token... If we find a valid Token Handle, we must check the following: The corresponding account is SYSTEM? Is it an Impersonation token? The Impersonation Level of the token is at least Impersonation?... once you’ve found a proper impersonation token, you can duplicate it and use the Windows API to create a process as NT AUTHORITY\SYSTEM.
CreateProcessWithToken() - This function requires the SeImpersonatePrivilege privilege, which is enabled by default (for the LOCAL SERVICE account). As an input, it requires a Primary token... As a conclusion, we have the appropriate privileges to impersonate NT AUTHORITY\SYSTEM.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows privilege escalation tool used to elevate from low-privileged service contexts (e.g., MS-SQL service) by abusing token/COM-related privileges, enabling subsequent payload execution with higher privileges.
JuicyPotato is a tool that exploits Windows privilege escalation vulnerabilities to gain higher-level access on compromised systems.
JuicyPotato is a tool that exploits Windows privilege escalation vulnerabilities to gain higher-level access on compromised systems.
Windows privilege-escalation exploit/tool used to execute commands with elevated privileges; also noted as being used in credential access via a BAT-driven workflow.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.