Earth Lamia and Jackpot Panda broad multi-CVE scanning campaign
Campaign
Summary
Hide ▲
Show ▼
Earth Lamia and Jackpot Panda mounted a broad multi-CVE scanning campaign that quickly weaponized CVE-2025-55182 / React2Shell, raising the chance that unpatched systems would be hit before defenders could respond. The operation also probed for other N-day flaws, including CVE-2025-1338, showing an attempt to broaden reach beyond a single bug. Probes observed in AWS MadPot included discovery commands and file access attempts, indicating active follow-on reconnaissance. The campaign matters because it combines rapid public-exploit adoption with simultaneous scanning across multiple vulnerabilities.
Cases
Related Happenings
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware Activity
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware ActivityAbout this happening: The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
Iran-linked Hikvision and Dahua surveillance camera targeting campaign
Campaign
First: 04.03.2026 17:00
Last: 04.03.2026 17:00
Sources 1
About this happening:
A **coordinated campaign** is targeting **Hikvision** and **Dahua** surveillance cameras across the **Middle East**, increasing the risk that compromised devices could support mil...
Iran-linked Hikvision and Dahua surveillance camera targeting campaign
CampaignAbout this happening: A **coordinated campaign** is targeting **Hikvision** and **Dahua** surveillance cameras across the **Middle East**, increasing the risk that compromised devices could support mil...
AI-generated FortiGate reconnaissance tool analysis with weak parsing and empty stubs
Technical Analysis
First: 23.02.2026 14:30
Last: 23.02.2026 14:30
Sources 1
About this happening:
AWS identified a custom **FortiGate reconnaissance tool** that showed clear hallmarks of **AI-generated code**, helping explain how a low-skill actor automated post-compromise dis...
AI-generated FortiGate reconnaissance tool analysis with weak parsing and empty stubs
Technical AnalysisAbout this happening: AWS identified a custom **FortiGate reconnaissance tool** that showed clear hallmarks of **AI-generated code**, helping explain how a low-skill actor automated post-compromise dis...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
How related:
"This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets," Moses said.
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveHow related: "This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets," Moses said.
About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Timeline
-
05.12.2025 16:10 2 articles · 5mo ago
AWS sees React2Shell exploitation and multi-CVE scanning
Campaign Scope UpdateAWS MadPot honeypot telemetry identified Earth Lamia and Jackpot Panda attempting to exploit CVE-2025-55182 (React2Shell) in React Server Components (RSC) within hours of disclosure, and also saw attempts against CVE-2025-1338 in NUUO Camera and other N-day flaws. The observed activity included discovery commands such as whoami, writing /tmp/pwned.txt, and reading /etc/passwd, indicating rapid public-exploit adoption and broad scanning for unpatched systems.
Show sources
- Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability — thehackernews.com — 05.12.2025 16:10
- Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability — thehackernews.com — 05.12.2025 16:10