A Chinese language menace actor has been concentrating on identified vulnerabilities in internet purposes to compromise organizations in numerous sectors all over the world, Pattern Micro studies.
Lively since at the very least 2023 and tracked as Earth Lamia, the hacking group has been concentrating on the monetary, authorities, IT, logistics, retail, and training sectors, albeit focusing solely on particular industries over completely different time intervals.
Extremely energetic, the menace actor has been noticed exploiting identified safety defects in numerous public-facing property, however primarily concentrating on SQL injection vulnerabilities in internet purposes.
Exploited flaws embrace CVE-2017-9805 (Apache Struts), CVE-2021-22205 (GitLab), CVE-2024-9047 (WordPress), CVE-2024-27198 and CVE-2024-27199 (TeamCity), CVE-2024-51378 and CVE-2024-51567 (CyberPanel), CVE-2024-56145 (Craft CMS), and, extra just lately, CVE-2025-31324 (SAP NetWeaver).
After preliminary entry, Earth Lamia was seen dropping extra instruments, deploying webshells, escalating privileges, creating administrator accounts, extracting credentials, scanning the community, organising proxy tunnels, executing backdoors, and attaining persistence.
Moreover, the assaults would leverage SQL injection vulnerabilities to create a brand new ‘sysadmin123’ account on focused SQL servers, acquiring administrative privileges to immediately entry and steal sufferer information.
The menace actor was seen utilizing reliable utilities, BypassBoss (a modified model of a device initially shared on Chinese language boards), open supply instruments, and customized loaders for sideloading malicious DLLs into safety purposes, to execute Cobalt Strike and Brute Ratel shellcode.
The hacking group has deployed a modular .NET backdoor dubbed Pulsepack that may load plugins from its command-and-control (C&C) server when wanted. The core executable can solely talk with the C&C, however every plugin expands its capabilities.Commercial. Scroll to proceed studying.
Earth Lamia has been concentrating on organizations in Brazil, India, and Southeast Asia since 2023. Whereas their aggressive operations have been talked about in earlier safety studies, Pattern Micro believes that it’s a person China-nexus group.
The cybersecurity agency has recognized connections to REF0657, which focused the monetary companies sector in South Asia in January 2024, and the STAC6451 marketing campaign that deployed the Mimic ransomware, though Earth Lamia has not been noticed utilizing ransomware.
The hacking group additionally seems to be linked to the CL-STA-0048 espionage marketing campaign detailed in January 2025, which can be linked to the Chinese language menace actor DragonRank.
“Earth Lamia is conducting its operations throughout a number of international locations and industries with aggressive intentions. On the identical time, the menace actor repeatedly refines their assault techniques by growing customized hacking instruments and new backdoors,” Pattern Micro notes.
Associated: Czech Authorities Condemns Chinese language Hack on Crucial Infrastructure
Associated: Cityworks Zero-Day Exploited by Chinese language Hackers in US Native Authorities Assaults
Associated:Chinese language Spies Exploit Ivanti Vulnerabilities Towards Crucial Sectors
