Two Chinese-linked hacker groups were observed weaponizing a newly revealed security flaw in React Server Components (RSC) within hours of it becoming public knowledge.
The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), also known as React2Shell, which allows unauthenticated remote code execution. This issue is addressed in React versions 19.0.1, 19.1.2, and 19.2.1.
Two China-linked threat actors known as Earth Lamia and Jackpot Panda have been observed attempting to exploit maximum severity security flaws, according to a new report shared by Amazon Web Services (AWS).
“Our analysis of exploitation attempts on the AWS MadPot honeypot infrastructure identified exploit activity from IP addresses and infrastructure historically associated with known Chinese state-aligned threat actors,” CJ Moses, CISO at Amazon Integrated Security, said in a report shared with The Hacker News.
Specifically, the technology giant said it has identified infrastructure associated with Earth Lamia, a China-aligned group, believed to have stemmed from an attack earlier this year that exploited a critical flaw in SAP NetWeaver (CVE-2025-31324).
The hacking group targeted sectors such as financial services, logistics, retail, IT companies, universities, and government agencies in Latin America, the Middle East, and Southeast Asia.
This campaign also stems from infrastructure associated with another China-linked cyber threat actor known as Jackpot Panda, which identifies organizations primarily engaged in or supporting online gambling operations in East and Southeast Asia.
According to CrowdStrike, Jackpot Panda is assessed to have been active since at least 2020, targeting trusted third-party relationships in order to deploy malicious implants and gain initial access. Specifically, this threat actor was involved in a supply chain breach of a chat app known as Comm100 in September 2022. This activity is tracked by ESET as Operation Chatty Goblin.
It was later revealed that Chinese hacking contractor I-Soon may have been involved in the supply chain attack due to infrastructure duplication. Interestingly, attacks launched by this group in 2023 primarily focused on Chinese-speaking victims, indicating the potential for domestic surveillance.
“Starting in May 2023, attackers used a trojanized installer for CloudChat, a China-based chat application popular in mainland China’s illegal Chinese-speaking gambling community,” CrowdStrike said in its Global Threat Report published last year.
“The Trojanized installer provided by the CloudChat website contained the first stage of a multi-step process that ultimately deployed XShade, a new implant with code that overlapped with Jackpot Panda’s own CplRAT implant.”
Amazon announced that it also detected attackers exploiting 2025-55182, along with other N-day flaws, including the NUUO camera vulnerability (CVE-2025-1338, CVSS score: 7.3), suggesting widespread efforts to scan the internet for unpatched systems.
Observed activity includes attempts to run discovery commands (e.g., whoami), write files (e.g., “/tmp/pwned.txt”), and read files containing sensitive information (e.g., “/etc/passwd”).
“This represents a systematic approach where threat actors monitor the disclosure of new vulnerabilities, quickly integrate publicly available exploits into their scanning infrastructure, and conduct broad campaigns across multiple common vulnerabilities and exposures (CVEs) simultaneously to maximize their chances of discovering vulnerable targets,” said Moses.
Source link
