Breaking News: Chinese Hackers on the Prowl
In a concerning development, two hacking groups with Chinese ties have swiftly capitalized on a recently disclosed security vulnerability in React Server Components (RSC). This vulnerability, known as React2Shell (CVE-2025-55182), carries a critical CVSS score of 10.0 and allows remote code execution without authentication.
But here's where it gets controversial...
A new report from Amazon Web Services (AWS) reveals that these threat actors, Earth Lamia and Jackpot Panda, have been actively exploiting this flaw within hours of its public disclosure. CJ Moses, CISO of Amazon Integrated Security, shared their analysis, which identified exploitation attempts originating from IP addresses historically linked to known Chinese state-affiliated hackers.
Earth Lamia, a China-nexus group, has a history of targeting critical infrastructure, as seen in their exploitation of the SAP NetWeaver flaw (CVE-2025-31324) earlier this year. Their targets span financial, logistics, retail, IT, and government sectors across Latin America, the Middle East, and Southeast Asia.
And this is the part most people miss...
The other actor, Jackpot Panda, has primarily focused on entities involved in online gambling operations in East and Southeast Asia. CrowdStrike, a cybersecurity firm, assesses that Jackpot Panda has been active since at least 2020, targeting trusted third-party relationships to gain initial access. Interestingly, they were connected to the supply chain compromise of the Comm100 chat app in 2022, an activity tracked as Operation ChattyGoblin.
A Chinese hacking contractor, I-Soon, may have played a role in this supply chain attack, suggesting a deeper web of connections.
Attacks by I-Soon in 2023 primarily targeted Chinese-speaking victims, indicating a possible domestic surveillance operation. CrowdStrike's Global Threat Report revealed that the group used a trojanized installer for CloudChat, a popular chat app among Chinese-speaking gambling communities in Mainland China, to deploy a novel implant, XShade, with code similarities to Jackpot Panda's CplRAT implant.
Amazon's detection of threat actors exploiting React2Shell alongside other N-day flaws, such as the vulnerability in NUUO Camera (CVE-2025-1338), suggests a broader campaign to scan the internet for unpatched systems. The observed activity includes attempts to run discovery commands, write sensitive files, and read files containing sensitive information.
CJ Moses highlights the systematic approach of these threat actors, who monitor for new vulnerability disclosures, integrate exploits quickly, and launch broad campaigns across multiple CVEs to maximize their chances of success.
This story is a reminder of the ever-evolving threat landscape and the importance of timely security updates. As we navigate the digital world, staying informed and vigilant is crucial.
What are your thoughts on this developing story? Do you think these hacking groups pose a significant threat to global cybersecurity? Join the discussion in the comments below!
