Threat Actor Profile
Jackpot Panda
Jackpot Panda, a China-based threat actor that has been active since at least May 2020. This advanced persistent threat (APT) group focuses heavily on the online gambling ecosystem across East and Southeast Asia. Leveraging supply-chain compromises, phishing, and stealthy post-compromise techniques, they align closely with domestic intelligence priorities of the PRC.
Threat Actor Profile
Jackpot Panda
Country of Origin
Jackpot Panda is attributed to China, with a strong nexus to state-aligned intelligence and domestic security operations.
Members
The exact size and composition of Jackpot Panda remain unclear. Their operations, however, often reflect coordination among highly skilled attackers, leveraging custom tooling and advanced espionage techniques — indicative of contractor or state-sponsored capabilities.
Leadership
No specific leaders or aliases have been publicly identified for this group. Its operational model suggests ties to government-contracted or affiliated teams, possibly linked to China’s Ministry of Public Security.
Jackpot Panda TTPs
Tactics
The group’s main objective is to conduct surveillance and intelligence gathering within the online gambling and payment sectors. These activities likely feed into broader efforts to monitor corruption, illicit finance, and criminal activity.
Techniques
Entry Points
Supply-chain compromises through vendor update channels.
Watering hole attacks targeting industry-relevant sites.
Spear phishing campaigns focused on employees of gambling and payment processing organizations.
Persistence & Lateral Movement
Credential harvesting and use of legitimate administrative tools.
Living-off-the-land utilities for stealthy operations.
Procedures
These include exploiting trusted vendor-update software, abusing compromised supply-chain access for system infiltration, and collecting transactional data and account details. Activity often involves tailored malware and profiling techniques focused on gambling and financial operations.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
The 2024 i-Soon data leak shed light on Jackpot Panda’s substantial activity, tying several infrastructure components and compromised IPs to operations monitored since 2020. This leak provided analysts with critical insights into their supply-chain attack methods and connections with Chinese state contractors.
Law Enforcement & Arrests
To date, there are no confirmed arrests or direct law enforcement actions linked specifically to Jackpot Panda. However, the 2024 i-Soon leak shone a spotlight on contractor activities potentially tied to the PRC’s Ministry of Public Security.
How to Defend Against Jackpot Panda
Supply-Chain Protections: Ensure the integrity of vendor updates with code-signing verification and authenticated channels.
Network Segmentation: Limit access to critical systems and enforce role-based controls using least privilege.
Identity Security: Deploy phishing-resistant MFA and monitor abnormal access patterns
Threat Detection: Use telemetry to spot web shells, unexpected outbound communications, and compromised update sources.
Incident Response: Maintain robust backup systems, rehearse recovery procedures, and incorporate Huntress monitoring solutions for rapid detection of potential breaches.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Jackpot Panda threats with enterprise-grade technology.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
