Ddos 
Trend Micro’s latest threat intelligence report uncovers Earth Lamia — a stealthy and evolving China-nexus advanced persistent threat (APT) group — as it expands its reach with custom backdoors and creative exploitation techniques across critical industries worldwide.
Since 2023, Earth Lamia has orchestrated calculated attacks against organizations in Brazil, India, and Southeast Asia. Initially zeroing in on the financial services sector, the group has since pivoted to a broader range of industries including logistics, online retail, IT, academia, and government. According to Trend Micro, “Earth Lamia is conducting its operations across multiple countries and industries with aggressive intentions.”
The group’s signature intrusion method involves exploiting SQL injection vulnerabilities and public-facing server flaws to infiltrate target environments. Their toolkit includes well-known CVEs such as:
- CVE-2017-9805 (Apache Struts2 RCE)
- CVE-2021-22205 (GitLab RCE)
- CVE-2024-9047 (WordPress File Upload arbitrary access)
- CVE-2025-31324 (SAP NetWeaver unauthenticated file upload)
Trend Micro noted, “The actor tried to open a system shell through [SQL vulnerabilities] to gain remote access to the victims’ SQL servers,” likely using tools such as sqlmap.
Once inside, Earth Lamia executes a range of lateral movement techniques, including:
- Deploying webshells
- Creating admin accounts like helpdesk
- Dumping credentials from LSASS memory
- Cleaning logs with wevtutil.exe
- Scanning networks using tools like Fscan and Kscan
Notably, the group uses custom privilege escalation tools such as BypassBoss, a tampered version of the open-source Sharp4PrinterNotifyPotato. These tools are embedded into legitimate executables using DLL sideloading, often leveraging binaries from trusted security vendors.
In a significant shift observed since August 2024, Earth Lamia has deployed PULSEPACK, a stealthy .NET backdoor engineered for modular espionage. PULSEPACK loads minimal functionality at runtime, relying on plugins fetched from its command-and-control server.
“The delivered plugins are Base64-encoded and compressed into the ZIP format… launched with the Assembly.Load approach.”
Its upgraded 2025 variant shifts communication from TCP to WebSockets, reduces its on-disk footprint, and introduces dynamic victim identifiers. One of its plugins, TKRun.dll, ensures persistence by setting scheduled tasks for re-execution.
Earth Lamia encrypts its payloads using RC4 and AES, storing malicious shellcode inside innocuous-looking files like readme.txt and VCRUNTIME140C.dll. A DLL sideloader decrypts and runs this code in memory.
One sample employed VOIDMAW, a tool designed “to bypass memory scanners,” injecting tools such as JuicyPotato and Brute Ratel via sideloaded DLLs.
Earth Lamia’s operations overlap with other China-linked campaigns:
- REF0657 (2023 financial attacks)
- CL-STA-0048 (linked to DragonRank)
- IPs and infrastructure overlap with UNC5174 campaigns using VShell and the SNOWLIGHT stager
However, Trend Micro emphasizes that attribution remains nuanced: “We believe part of CL-STA-0048’s activities are from Earth Lamia’s operation… however, we have only a medium confidence.”
Earth Lamia represents a formidable APT actor that blends custom malware, legitimate software abuse, and agile targeting. Organizations are urged to implement continuous patching, vigilant monitoring, and behavior-based threat detection.
Related Posts:
- China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector
- China-Backed Hackers Escalate Cyber Campaigns, Targeting Operational Technology
- Ivanti EPMM Under Attack: Zero-Day RCE Exploited by China-Linked Group UNC5221
- Ivanti Zero-Day CVE-2025-22457 Exploit Details Released
- Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
Donate