JACKPOT PANDA

JACKPOT PANDA is a cyber intrusion set tracked by CrowdStrike who state that the actor has been active since at least May 2020 and likely operates in support of 'People’s Republic of China (PRC’s) intelligence collection priorities related to domestic security and corruption.' The group has also been reported targeting Chinese-speaking gambling communities.

According to CrowdStrike reporting, in 2023 JACKPOT PANDA was observed compromising supply chains to exploit trusted relationships to downstream organizations. In particular, the 2024 CrowdStrike Global Threat Report details how JACKPOT PANDA was identified utilizing LiveHelp100 (from Comm100) to launch malicious tooling (QuestDownloader) as part of an attack.

Reporting from a document leak at Chinese cyber security company 'i-SOON' indicated an overlap between that company and infrastructure attributed to JACKPOT PANDA. The link is based on an IP address identified by TrendMicro as being linked to the Comm100 compromise. This suggests that the group may be a commercial provider carrying out some activities on behalf of Chinese government organizations.

www.crowdstrike.com

https://www.crowdstrike.com/wp-content/uploads/2024/02/crowdstrike-2024-global-threat-report-executive-summary.pdf

web.archive.org

https://web.archive.org/web/20240307205451/https://www.ignition-technology.com/wp-content/uploads/2024/02/GlobalThreatReport2024.pdf

www.crowdstrike.com

https://www.crowdstrike.com/adversaries/jackpot-panda/

blog.bushidotoken.net

https://blog.bushidotoken.net/2024/02/lessons-from-isoon-leaks.html

www.kelacyber.com

https://www.kelacyber.com/i-soon-leak-kelas-insights/

www.crowdstrike.com

https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/

www.trendmicro.com

https://www.trendmicro.com/en_sg/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html