Listen to this Post
Introduction:
In the ever-shifting battleground of cybersecurity, a sophisticated threat actor known as Earth Lamia has emerged as a major concern for global organizations. First gaining attention in 2023, this China-affiliated group has ramped up its operations through 2024 and 2025, targeting a broad range of sectors with a toolkit of customized malware and highly evasive attack techniques. Their latest campaigns reveal an alarming expansion in scope, leveraging high-impact vulnerabilities and encrypted backdoors to breach digital perimeters across continents. As this threat evolves, understanding their methods and motivations becomes critical for defenders worldwide.
Earth Lamia’s Expanding Campaigns:
Since early 2023, Earth Lamia has been systematically exploiting web application vulnerabilities to infiltrate organizations in Brazil, India, and Southeast Asia. Initially focused on the financial sector—particularly securities and brokerage firms—the group has shifted gears in 2024 to attack logistics, online retail, and most recently, IT firms, universities, and government institutions.
Their strategy begins with exhaustive vulnerability scans, seeking entry points through SQL injection flaws in public-facing web apps. Tools like sqlmap are believed to assist in these automated exploits and remote command executions. Earth Lamia also leverages a mix of well-known and recently discovered vulnerabilities, including CVE-2017-9805 (Apache Struts2), CVE-2021-22205 (GitLab), and other flaws found in modern platforms such as WordPress, TeamCity, CyberPanel, Craft CMS, and SAP NetWeaver.
Once inside, the attackers deploy payloads and establish persistence using modified open-source tools engineered for stealth. A distinct trait is their use of DLL sideloading, which allows them to inject malware via trusted programs such as Microsoft’s AppLaunch.exe. This method, along with their removal of tell-tale code signatures, helps them evade detection.
Key tools include the privilege escalation utility “BypassBoss” (a fork of Sharp4PrinterNotifyPotato) and a loader that uses VOIDMAW for in-memory execution. Their payloads are encrypted using RC4 or AES, making it even harder for security software to detect their presence.
In August 2024, researchers discovered a new Earth Lamia tool called PULSEPACK, a stealthy .NET backdoor designed for modular flexibility. It fetches additional malicious plugins on demand, communicates via encrypted channels (TCP or WebSockets), and can be easily extended to gather system data or execute remote commands.
These campaigns show strong overlaps with previously identified operations (e.g., REF0657, STAC6451, CL-STA-0048) and share infrastructure with tools like Cobalt Strike, Brute Ratel, and VShell. While indirect links to other China-affiliated groups like DragonRank and UNC5174 exist, direct attribution remains elusive.
Given Earth Lamia’s rapid evolution, advanced technical capabilities, and persistent targeting of exposed systems, organizations are urged to adopt rigorous patching protocols, enhance their detection tools, and maintain constant vigilance.
What Undercode Say:
Earth Lamia represents a new breed of threat actor—technically sophisticated, operationally agile, and strategically shifting their targets to exploit weak links across industries. Their campaigns mark a departure from traditional cyber espionage in both scope and intensity.
This
PULSEPACK is particularly concerning due to its adaptive plugin-based architecture. This allows Earth Lamia to minimize its on-disk footprint while dynamically expanding its capabilities depending on the environment it infiltrates. The use of WebSocket communication adds another layer of stealth, blending malicious traffic with legitimate web activity.
The
Earth
Moreover, by recycling and modifying open-source tools, Earth Lamia maintains a low-cost, high-impact approach while masking its code origins. This tactic also allows them to innovate quickly, adapting to new defenses and patch cycles with minimal effort.
Attribution remains a challenge. Despite links to Chinese APTs and infrastructural similarities with other threat groups, concrete ties are still murky. This ambiguity benefits Earth Lamia, allowing them to operate in a grey zone of plausible deniability.
As organizations adopt digital transformation, the risks posed by threat groups like Earth Lamia will only increase. Companies must rethink cybersecurity as a proactive discipline rather than a reactive one. Integrating behavior-based detection, Zero Trust models, and continuous threat hunting is no longer optional—it’s essential.
Fact Checker Results: ✅
✔️ Earth Lamia has been confirmed by independent research reports from Trend Micro.
✔️ The vulnerabilities and malware tools cited are real and currently active in the wild.
✔️ Attribution to China is circumstantial but supported by overlapping tactics and infrastructure.
Prediction:
Earth Lamia will likely continue its pivot toward critical infrastructure and software supply chains. Their next targets may include cloud service providers and DevOps platforms, exploiting weak links in CI/CD pipelines. As AI-enhanced detection improves, Earth Lamia is expected to further invest in evasion techniques, possibly integrating polymorphic malware and deeper living-off-the-land strategies.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
