A Chinese hacking group known as Earth Lamia has been actively targeting organizations worldwide by exploiting known vulnerabilities in web applications. According to Trend
Micro, the group has been operational since at least 2023 and has focused on sectors such as finance, government, IT, logistics, retail, and education, shifting its targets over time. The hackers primarily exploit SQL injection flaws in public-facing systems, including vulnerabilities in Apache Struts, GitLab, WordPress, TeamCity, CyberPanel, Craft CMS, and most recently SAP NetWeaver.
Once they gain initial access, Earth Lamia deploys tools like webshells, escalates privileges, creates new administrator accounts, steals credentials, scans network, sets up proxy tunnels, and establishes persistence on compromised systems. One notable technique includes using SQL injection to create a ‘sysadmin123’ account on SQL servers, giving them direct access to sensitive data. They also use a mix of legitimate and modified tools, such as BypassBoss, open-source utilities, and custom loaders to sideload malicious DLLs into security software and execute Cobalt Strike and Brute Ratel shellcode.
The group employs a modular .NET backdoor called Pulsepack, which connects to a command-and-control server to download plugins that enhance its functionality. Earth Lamia has targeted organizations in Brazil, India, and Southeast Asia and has been linked to previous campaigns such as REF0657 and STAC6451, although it has not used ransomware itself. There is also evidence connecting Earth Lamia to the espionage campaign CL-STA-0048 and the Chinese threat actor DragonRank. Trend Micro concludes that Earth Lamia is a determined and evolving threat, consistently developing new tools and refining its techniques to carry out sophisticated cyberattacks across various industries.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
