Full Report
The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023. "The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations," Trend
Analysis Summary
# Threat Actor: Earth Lamia
## Attribution & Identity
* **Attribution:** China-linked threat actor.
* **Aliases and Associations:** Tracked as **Earth Lamia** by Trend Micro. Shares overlap with threat clusters documented as:
* REF0657 (Elastic Security Labs)
* STAC6451 (Sophos)
* CL-STA-0048 (Palo Alto Networks Unit 42)
## Activity Summary
Earth Lamia is described as a "highly active" cyber espionage group involved in widespread attacks across Asia since 2023.
* **Recent Activity:** In May 2025, the actor was observed in-the-wild exploiting a critical security flaw in **SAP NetWeaver (CVE-2025-31324)** to establish reverse shells.
* **Historical Campaigns:** The group primarily targets SQL injection vulnerabilities in web applications to access SQL servers. They exploit various known vulnerabilities in public-facing servers for initial access.
* **Ransomware Attempts:** Select intrusions against Indian entities involved attempts to deploy **Mimic ransomware** binaries, although these efforts were largely unsuccessful.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting SQL injection vulnerabilities; weaponizing zero-day and N-day vulnerabilities on public-facing servers, including:
* CVE-2025-31324 (SAP NetWeaver RCE via file upload)
* CVE-2017-9805 (Apache Struts2 RCE)
* CVE-2021-22205 (GitLab RCE)
* CVE-2024-9047 (WordPress File Upload arbitrary file access)
* CVE-2024-27198 (JetBrains TeamCity authentication bypass)
* CVE-2024-27199 (JetBrains TeamCity path traversal)
* CVE-2024-51378 (CyberPanel RCE)
* CVE-2024-51567 (CyberPanel RCE)
* CVE-2024-56145 (Craft CMS RCE)
* **Post-Exploitation & Persistence:**
* Deploying custom backdoors like **PULSEPACK** via **DLL side-loading**.
* Using post-exploitation tools like **Cobalt Strike** and **Supershell**.
* Establishing proxy tunnels using **Rakshasa** and **Stowaway**.
* Privilege escalation using **GodPotato** and **JuicyPotato**.
* Network scanning using **Fscan** and **Kscan**.
* **Log Tampering:** Utilizing legitimate tools like `wevtutil.exe` to clean Windows Application, System, and Security event logs.
## Targeting
* **Sectors:** Evolving focus over time:
* **Early 2024/Prior:** Financial industry (securities and brokerage).
* **Mid-2024:** Logistics and online retail.
* **Recently:** IT companies, universities, and government organizations.
* **Geography:** Brazil, India, Southeast Asia (including Indonesia, Malaysia, the Philippines, Thailand, and Vietnam).
* **Victims:** Organizations leveraging internet-exposed Microsoft SQL Servers.
## Tools & Infrastructure
* **Malware/Custom Tools:**
* PULSEPACK (Modular .NET-based implant, updated in March 2025 to use WebSocket C2 communication).
* Cobalt Strike
* Supershell
* Rakshasa (Tunneling)
* Stowaway (Tunneling)
* GodPotato (Privilege Escalation)
* JuicyPotato (Privilege Escalation)
* Mimic ransomware (Staged but often failed execution).
* **Infrastructure:** C2 communication infrastructure; observed changing C2 methods in newer PULSEPACK versions (e.g., moving to WebSocket).
## Implications
Earth Lamia is an aggressively executed operation demonstrating continuous development and refinement of attack tactics, including the adoption of techniques common among Chinese hacking groups (DLL side-loading). Their broad targeting across critical sectors (Finance, Government, IT) and geographic regions indicates a high-priority cyber espionage mandate.
## Mitigations
* Prioritize patching and remediation for the exploited vulnerabilities, especially web application flaws on public-facing servers (e.g., CVE-2025-31324).
* Implement robust endpoint detection and response (EDR) capable of detecting DLL side-loading techniques.
* Monitor for the deployment of Cobalt Strike, Supershell, and custom backdoors like PULSEPACK.
* Ensure strong security for all internet-facing SQL servers and web applications (focusing on SQL injection defense).
* Implement logging and monitoring to detect attempts to clear Windows event logs using tools like `wevtutil.exe`.