Earth Lamia Hackers exploits vulnerabilities in web applications to Attack Multiple Industries

Cybersecurity researchers at Trend Research have uncovered the aggressive operations of Earth Lamia, an Advanced Persistent Threat (APT) group with a China-nexus, targeting organizations across Brazil, India, and Southeast Asia since 2023.

This threat actor has demonstrated a sophisticated approach to cyber intrusions by exploiting SQL injection vulnerabilities in web applications to infiltrate SQL servers and leveraging known flaws in public-facing systems.

A Rising Threat Across Brazil, India, and Southeast Asia

Their targets have evolved over time, initially focusing on financial services, particularly securities and brokerage firms, in early 2024, before shifting to logistics and online retail in the latter half of the year.

Most recently, Earth Lamia has set its sights on IT companies, universities, and government entities, showcasing a strategic adaptability that poses a significant risk to diverse industries.

Earth Lamia’s technical prowess lies in its ability to develop and customize hacking tools to evade detection by traditional security software.

Notable among these are PULSEPACK, a modular .NET backdoor first seen in August 2024 with an upgraded WebSocket-based version emerging in March 2025, and BypassBoss, a modified privilege escalation tool derived from open-source code.

The group also employs tactics like DLL sideloading, using legitimate binaries such as Microsoft’s AppLaunch.exe to execute malicious payloads in memory, often packaging tools with VOIDMAW to bypass memory scanners.

Their exploitation of vulnerabilities, including CVE-2017-9805 (Apache Struts2), CVE-2021-22205 (GitLab), and the recent CVE-2025-31324 (SAP NetWeaver Visual Composer), underscores their focus on unpatched systems.

Customized Tools

Post-exploitation, they engage in lateral movement within networks by deploying webshells, escalating privileges with tools like GodPotato, and exfiltrating data through proxy tunnels and backdoors like Cobalt Strike and Brute Ratel.

According to Trend Micro, their use of commands to create unauthorized accounts such as “sysadmin123” on SQL servers further amplifies the threat of data theft.

Earth Lamia’s infrastructure, including IP addresses like 43.247.135.53 and 103.30.76.206, has been linked to their command-and-control (C&C) operations, with connections to other intrusion sets like REF0657 and STAC6451.

While some overlaps with campaigns like Mimic ransomware and DragonRank have been observed, researchers maintain that Earth Lamia operates as a distinct entity, focusing on espionage and data exfiltration rather than ransomware deployment.

Trend Vision One has been pivotal in detecting and blocking associated Indicators of Compromise (IOCs), providing hunting queries and intelligence reports to counter this evolving threat.

As Earth Lamia continues to refine its arsenal and target selection, organizations must prioritize system patching, robust monitoring, and proactive security solutions to mitigate the risk of falling victim to these meticulously crafted attacks.

The global cybersecurity community remains on high alert as this APT group’s operations show no signs of slowing down, emphasizing the urgent need for fortified defenses against such persistent and technically adept adversaries.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!