Earth Lamia and Jackpot Panda broad multi-CVE scanning campaign
Campaign
Summary
Hide ▲
Show ▼
Earth Lamia and Jackpot Panda mounted a broad multi-CVE scanning campaign that quickly weaponized CVE-2025-55182 / React2Shell, raising the chance that unpatched systems would be hit before defenders could respond. The operation also probed for other N-day flaws, including CVE-2025-1338, showing an attempt to broaden reach beyond a single bug. Probes observed in AWS MadPot included discovery commands and file access attempts, indicating active follow-on reconnaissance. The campaign matters because it combines rapid public-exploit adoption with simultaneous scanning across multiple vulnerabilities.
Cases
Related Happenings
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
Campaign
H score33
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
**OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
CampaignAbout this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware Activity
H score23
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware ActivityAbout this happening: The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
Iran-linked Hikvision and Dahua surveillance camera targeting campaign
Campaign
H score37
First: 04.03.2026 17:00
Last: 04.03.2026 17:00
Sources 1
About this happening:
A **coordinated campaign** is targeting **Hikvision** and **Dahua** surveillance cameras across the **Middle East**, increasing the risk that compromised devices could support mil...
Iran-linked Hikvision and Dahua surveillance camera targeting campaign
CampaignAbout this happening: A **coordinated campaign** is targeting **Hikvision** and **Dahua** surveillance cameras across the **Middle East**, increasing the risk that compromised devices could support mil...
AI-generated FortiGate reconnaissance tool analysis with weak parsing and empty stubs
Technical Analysis
H score35
First: 23.02.2026 14:30
Last: 23.02.2026 14:30
Sources 1
About this happening:
AWS identified a custom **FortiGate reconnaissance tool** that showed clear hallmarks of **AI-generated code**, helping explain how a low-skill actor automated post-compromise dis...
AI-generated FortiGate reconnaissance tool analysis with weak parsing and empty stubs
Technical AnalysisAbout this happening: AWS identified a custom **FortiGate reconnaissance tool** that showed clear hallmarks of **AI-generated code**, helping explain how a low-skill actor automated post-compromise dis...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
H score52
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Timeline
-
05.12.2025 16:10 2 articles · 7mo ago
AWS sees React2Shell exploitation and multi-CVE scanning
Campaign Scope UpdateAWS MadPot honeypot telemetry identified Earth Lamia and Jackpot Panda attempting to exploit CVE-2025-55182 (React2Shell) in React Server Components (RSC) within hours of disclosure, and also saw attempts against CVE-2025-1338 in NUUO Camera and other N-day flaws. The observed activity included discovery commands such as whoami, writing /tmp/pwned.txt, and reading /etc/passwd, indicating rapid public-exploit adoption and broad scanning for unpatched systems.
Show sources
- Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability — thehackernews.com — 05.12.2025 16:10
- Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability — thehackernews.com — 05.12.2025 16:10