Cybersecurity researchers have attributed a growing wave of sophisticated intrusions to the China-linked threat group known as Earth Lamia.
Since 2023, Earth Lamia has exploited various web application vulnerabilities to gain unauthorized access to organizations across Brazil, India, and Southeast Asia.
The actor is notable for developing or customizing advanced hacking tools and backdoors, employing them to systematically evade detection and exfiltrate sensitive data from diverse industry targets.
Initially, Earth Lamia targeted the financial sector, with a focus on securities and brokerage firms.
However, as 2024 progressed, their attention shifted toward logistics and online retail, before most recently pivoting to compromise IT companies, universities, and government organizations.
The group’s modus operandi involves extensive vulnerability scanning, with a particular emphasis on exploiting SQL injection flaws in public-facing web applications.
Tools such as sqlmap are suspected to be leveraged for automated exploitation and remote command execution.
Beyond SQL injections, telemetry and incident investigation links Earth Lamia to active exploitation of high-impact vulnerabilities including but not limited to CVE-2017-9805 (Apache Struts2), CVE-2021-22205 (GitLab), and several recent 2024–2025 vulnerabilities in popular platforms like WordPress, JetBrains TeamCity, CyberPanel, Craft CMS, and SAP NetWeaver.
According to Trend Micro Report, these exploits provide initial access, after which the group deploys further payloads and establishes persistence.
Operational Security
A hallmark of the Earth Lamia operation is its use of customized open-source hacking tools with enhanced evasion features.
The group obfuscates and modifies commodity tools, removing tell-tale artifacts from code and employing DLL sideloading techniques to launch malware within legitimate binaries often leveraging trusted software, including Microsoft’s AppLaunch.exe and even binaries from security vendors.
Key custom utilities observed include a privilege escalation tool dubbed “BypassBoss,” derived from the open-source “Sharp4PrinterNotifyPotato,” and a custom backdoor loader utilizing VOIDMAW for in-memory execution.
Earth Lamia has also demonstrated the use of encrypted payload delivery, with loaders decrypting shellcode using RC4 or AES algorithms for execution in memory, further complicating detection.
PULSEPACK Backdoor
In August 2024, researchers identified a new modular .NET backdoor called PULSEPACK, purpose-built for stealth and flexibility.
PULSEPACK operates with a barebones core, dynamically fetching additional plugins from its command-and-control (C2) infrastructure as needed.
Early versions utilized TCP-based communication encrypted with AES, while later variants adopted WebSocket protocols and separated the core DLL into a plugin architecture, reducing footprint and detection risk.
The malware performs detailed reconnaissance, collects system and user data, and supports modular plugin delivery for extended capabilities like persistence or remote command execution.
Attribution analysis links Earth Lamia to several previously reported campaigns, including those tracked as REF0657, STAC6451, and CL-STA-0048, with overlapping tools, tactics, and infrastructure.
Connections to other China-nexus groups (e.g., “DragonRank” and UNC5174) are noted but not conclusively established.
Earth Lamia’s infrastructure overlaps with attacks leveraging Cobalt Strike, Brute Ratel, and VShell, with evidence of coordinated campaigns targeting financial, educational, and critical infrastructure sectors.
Earth Lamia represents a persistent and evolving threat to organizations with exposed applications and insufficient patch management.
Their operational agility, technical sophistication, and willingness to rapidly iterate on custom malware and attack techniques make them a formidable adversary in the current cyber threat landscape.
Security teams are advised to prioritize regular patching, proactive monitoring, and deployment of advanced detection and response tools to mitigate the risk posed by actors employing tactics exemplified by Earth Lamia.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
