Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

JuicyPotato

JuicyPotato is a known open-source Windows privilege-escalation tool used post-compromise to abuse the SeImpersonate token privilege and obtain elevated execution, including escalation to NT AUTHORITY\SYSTEM. The content specifically describes its use for privilege escalation and command execution on compromised endpoints. It is commonly deployed after initial access rather than as an initial infection vector.

The tool is observed across multiple intrusion sets and campaigns. Blue Mockingbird used JuicyPotato to escalate from web application pool accounts to NT AUTHORITY\SYSTEM after exploiting Telerik UI for ASP.NET AJAX (CVE-2019-18935), supporting subsequent activity including cryptocurrency mining. Cisco Talos reported Chinese-speaking threat actor UAT-7237 using JuicyPotato for privilege escalation and command execution in intrusions targeting web infrastructure entities in Taiwan, alongside Cobalt Strike, SoftEther VPN, credential theft tooling, and reconnaissance utilities. Palo Alto Networks Unit 42 also reported CL-STA-1062, assessed with high confidence to be the same cluster as UAT-7237, using JuicyPotato in sustained operations since at least 2022 against government entities and state-owned critical energy infrastructure in Southeast Asia. Unit 42 further observed JuicyPotato within the Potato Suite (including BadPotato and SweetPotato) during a separate Southeast Asian government intrusion cluster, CL-STA-0046, which it associated with Gelsemium with moderate confidence. Additional reporting cited JuicyPotato or SweetPotato binaries linked in some cases to infrastructure previously associated with Gelsemium, while noting that many threat actors use these tools.

The content also notes JuicyPotato being used in attacks against internet-exposed MS-SQL servers, where an attacker installed it after login because MS-SQL service processes typically run with low privileges by default; it was then followed by deployment of CoinMiner and XiebroC2. In exploitation of SAP NetWeaver Visual Composer vulnerability CVE-2025-31324, JuicyPotato and SweetPotato were downloaded from suspicious external endpoints as privilege-escalation tooling.

High-confidence behavioral details in the content are that JuicyPotato is a Windows privilege-escalation utility, is used to abuse SeImpersonatePrivilege/SeImpersonate token privilege, and is leveraged for local elevation and command execution after compromise. Mentioned associated tooling and contexts include Cobalt Strike, SoftEther VPN, Mimikatz, GodPotato, BadPotato, SweetPotato, and BypassBoss. No standalone malware-specific persistence, command-and-control, or exfiltration functionality is described in the provided content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAT-7237

To escalate privileges, the attackers deployed known open-source tools, such as JuicyPotato.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
CL-STA-1062

To escalate privileges, the attackers deployed known open-source tools, such as JuicyPotato.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

4 techniques
T1068Exploitation for Privilege EscalationEvidence7

Attackers also leverage tools like JuicyPotato for privilege escalation...

T1134Access Token ManipulationEvidence1

Token Kidnapping consists in opening another process and then bruteforcing the open Handles by duplicating them inside the current process. For each valid Handle, we check whether it’s a Handle to a Token... If we find a valid Token Handle, we must check the following: The corresponding account is SYSTEM? Is it an Impersonation token? The Impersonation Level of the token is at least Impersonation?... once you’ve found a proper impersonation token, you can duplicate it and use the Windows API to create a process as NT AUTHORITY\SYSTEM.

T1134.001Token Impersonation/TheftEvidence1

CreateProcessWithToken() - This function requires the SeImpersonatePrivilege privilege, which is enabled by default (for the LOCAL SERVICE account). As an input, it requires a Primary token... As a conclusion, we have the appropriate privileges to impersonate NT AUTHORITY\SYSTEM.

T1548Abuse Elevation Control MechanismEvidence2

Local Windows winPEAS PowerUp Seatbelt Unquoted svc paths DLL hijack AlwaysInstallElevated JuicyPotato RoguePotato PrintSpoofer GodPotato UAC fodhelper/sdclt

Stealth

2 techniques
T1134Access Token ManipulationEvidence1

Token Kidnapping consists in opening another process and then bruteforcing the open Handles by duplicating them inside the current process. For each valid Handle, we check whether it’s a Handle to a Token... If we find a valid Token Handle, we must check the following: The corresponding account is SYSTEM? Is it an Impersonation token? The Impersonation Level of the token is at least Impersonation?... once you’ve found a proper impersonation token, you can duplicate it and use the Windows API to create a process as NT AUTHORITY\SYSTEM.

T1134.001Token Impersonation/TheftEvidence1

CreateProcessWithToken() - This function requires the SeImpersonatePrivilege privilege, which is enabled by default (for the LOCAL SERVICE account). As an input, it requires a Primary token... As a conclusion, we have the appropriate privileges to impersonate NT AUTHORITY\SYSTEM.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
palo alto networks unit 42 blogNews
Jun 25, 2026
CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

An open-source privilege-escalation tool used by the attackers to elevate privileges during intrusions.

Read more
ahnlab asec blogNews
Sep 28, 2025
XiebroC2 Identified in MS-SQL Server Attack Cases - ASEC

Windows privilege escalation tool used to elevate from low-privileged service contexts (e.g., MS-SQL service) by abusing token/COM-related privileges, enabling subsequent payload execution with higher privileges.

Read more
govinfosecurityNews
Aug 21, 2025
Breach Roundup: Scattered Spider Hacker Gets 10 Years

JuicyPotato is a tool that exploits Windows privilege escalation vulnerabilities to gain higher-level access on compromised systems.

Read more
bank info securityNews
Aug 21, 2025
Breach Roundup: Scattered Spider Hacker Gets 10 Years

JuicyPotato is a tool that exploits Windows privilege escalation vulnerabilities to gain higher-level access on compromised systems.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.