Listen to this Post
Introduction
A sophisticated cyber espionage group, believed to have connections to China, has been actively targeting organizations across the globe, exploiting critical security flaws in popular web applications and public-facing servers. The threat actor, tracked under the name Earth Lamia, has launched a series of attacks since 2023, compromising a wide range of industries including financial services, logistics, online retail, IT companies, universities, and government agencies. These attacks utilize a variety of vulnerabilities and custom-built backdoors to infiltrate networks, conduct reconnaissance, and deploy malicious tools to further their objectives.
In this article, weāll delve deeper into the tactics, techniques, and tools used by Earth Lamia, examine the impact of their operations on global targets, and explore what makes their cyber attack strategies so dangerous.
the
Since 2023, Earth Lamia, a China-linked cyber espionage group, has been linked to a series of attacks on organizations in Brazil, India, Southeast Asia, and other regions. The group primarily exploits SQL injection vulnerabilities on web applications to gain unauthorized access to the SQL servers of target organizations. These attacks also leverage a range of other known vulnerabilities to compromise public-facing servers.
Key countries affected include Indonesia, Malaysia, the Philippines, Thailand, Vietnam, and India. The groupās tactics include using a variety of tools such as Cobalt Strike, Supershell, and Rakshasa to establish proxy tunnels and conduct reconnaissance. Additionally, they employ privilege escalation tools like GodPotato and JuicyPotato, and network scanning utilities like Fscan and Kscan.
In some cases, Earth Lamia has attempted to deploy ransomware, specifically Mimic ransomware, although these attempts were largely unsuccessful. In addition to these tools, the group has been observed exploiting a wide array of vulnerabilities, including critical flaws in Apache Struts2, GitLab, WordPress, and JetBrains TeamCity.
The groupās operations have evolved over time, with an initial focus on financial institutions and brokerage firms. However, in the latter half of 2024, their targets shifted to the logistics and online retail sectors, and more recently, to IT companies, universities, and government organizations. One of the key techniques used by Earth Lamia is the deployment of custom backdoors, such as PULSEPACK, which is delivered through DLL side-loading. PULSEPACK allows the threat actor to communicate with compromised servers, retrieve plugins, and carry out various functions.
As of March 2025, Trend Micro observed that Earth Lamia had updated the PULSEPACK backdoor, changing its communication method from TCP to WebSocket, highlighting the ongoing development of their malware. Trend Micro concluded that Earth Lamiaās operations are highly active and increasingly sophisticated, with the threat actor continually refining its attack methods.
What Undercode Says:
The operations of Earth Lamia represent a highly advanced and persistent form of cyber espionage, targeting a wide range of sectors across multiple regions. One of the most alarming aspects of their campaign is their ability to exploit both old and new vulnerabilities, as seen with their use of CVE-2025-31324 in SAP NetWeaver and multiple other zero-day exploits. Their focus on public-facing serversāespecially Microsoft SQL Serversādemonstrates a clear understanding of the most common weaknesses in enterprise networks.
The groupās evolving tactics also highlight the adaptability of state-sponsored cybercriminals. While financial services were initially their primary target, the shift to logistics, retail, IT, and government organizations indicates a broader agenda, possibly involving strategic data theft and espionage aimed at disrupting key industries.
The use of custom malware such as PULSEPACK is another indication of the group’s sophistication. DLL side-loading, a technique often associated with Chinese hacking groups, enables Earth Lamia to remain stealthy while still maintaining a foothold within compromised networks. The transition from TCP to WebSocket for command-and-control communication shows that Earth Lamia is continuously refining their malware to evade detection and enhance its functionality.
Additionally, the fact that Earth Lamia has been unsuccessful in deploying certain ransomware attacks, such as Mimic, should not lead to complacency. Even though the ransomware attempts failed, the actors continue to deploy reconnaissance tools, which suggests a long-term, data-centric strategy that could evolve into more dangerous ransomware or even more sophisticated data exfiltration methods in the future.
Fact Checker Results
š Analysis: Earth Lamiaās cyberattacks have been traced to a range of exploits targeting vulnerable web applications and public-facing servers. Their evolving tactics, including the use of custom backdoors and sophisticated malware, make them a persistent and high-risk threat.
š Key Takeaway: While ransomware attempts were largely unsuccessful, the groupās ability to maintain access and deploy powerful tools for surveillance and reconnaissance presents a long-term threat to affected organizations.
š Conclusion: Earth Lamiaās activity underscores the growing sophistication of cyber espionage groups linked to nation-states, using advanced techniques and continuous malware development to achieve their goals.
Prediction
š® Whatās Next for Earth Lamia?
As Earth Lamia continues to refine its methods, we expect that the group will increasingly target organizations with high-value intellectual property and sensitive data. The transition to IT companies and government organizations could signal a shift towards more strategic objectives, including long-term infiltration and data harvesting for espionage purposes.
Furthermore, as cyber defenses evolve and public-facing vulnerabilities are patched, Earth Lamia will likely adapt by focusing on less-traditional attack vectors, possibly leveraging newer vulnerabilities or focusing on zero-day exploits that remain undetected. This groupās persistence and ability to evolve highlight the ongoing need for advanced cybersecurity measures and continuous vigilance by organizations across the globe.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
