In a concerning development for cybersecurity, two hacking groups linked to China have begun exploiting a newly disclosed vulnerability in React Server Components (RSC) within hours of its public announcement. The flaw—the discovery of which has been credited to James G. CVE-2025-55182, the critical flaw in question, has a critical CVSS score of 10.0. It enables unauthenticated remote code execution, providing attackers with terrifyingly simple access to systems.
The hacking groups, Earth Lamia and Jackpot Panda, are known for attacking multiple sectors around the world. Earth Lamia has already been associated with attacks using a major vulnerability in SAP NetWeaver as of earlier this year. Jackpot Panda has only focused on actors involved in underlying online gamble operations. This emphasis encompasses all of East and Southeast Asia, and it has existed since at least 2020.
The React2Shell Vulnerability
CVE-2025-55182, colloquially dubbed React2Shell, was announced earlier this week and has rapidly captured the interest of cyber threat actors. The vulnerability represents a grave danger because of its ability to allow remote code execution. This leads to a massive security gap for dozens of organizations.
The disclosure of the vulnerability has unfortunately brought swift action from an opportunistic Threat Actor. “Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors,” stated CJ Moses, CISO of Amazon Integrated Security. This further demonstrates how quickly hackers respond to take advantage of any new vulnerabilities as soon as they are made public.
Cybersecurity professionals have pointed out the power of these groups lies in their methodical, repeatable attack pattern. “This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets,” Moses added.
Activities of Earth Lamia
Unfortunately, since the start of 2023, Earth Lamia has focused their efforts on Chinese-speaking victims at an appalling rate. Their expertise includes all aspects of financial services, logistics and retail sectors, universities and government organizations in places including Latin America, the Middle East and Southeast Asia. We have seen devastating *Earth Lamia* attacks recently that try to execute discovery commands, like “whoami”. They attempt to write files to “/tmp/pwned.txt” and read sensitive information from files such as “/etc/passwd.”
To date, investigators have followed the group’s activity to actual infrastructure, connected to the ground, that supports their operation. Together, this evidence leads to a highly-coordinated effort to rapidly weaponize the React2Shell vulnerability. According to reports, I-Soon, possibly a Chinese hacking contractor, may have been involved in a major supply chain attack. This new development makes the already difficult cybersecurity landscape even more complex.
Jackpot Panda’s Targeted Campaigns
Jackpot Panda targets individuals who engage in or facilitate internet gambling enterprises. Their operations have spread beyond South Asia to East and Southeast Asia, with evidence of activity there since at least 2020. The threat actor has leveraged their trusted third-party connections to spread malicious implants and deliver initial access into the systems of their desired targets.
With its targeted approach, Jackpot Panda has already shown the effectiveness of its niches. They are constantly adjusting their tactics to capitalize on weaknesses like React2Shell. The recent reports from CrowdStrike reveal that beginning in May 2023, adversaries employed a trojanized installer for CloudChat, a chat application popular within illegal gambling communities in Mainland China.
The infrastructure that came alongside both Earth Lamia and Jackpot Panda has been essential to their continuing success. Cybersecurity experts have regularly warned against taking our eyes off these groups, even as they evolve their tactics.