A Chinese threat actor has been targeting known vulnerabilities in web applications to compromise organizations in various sectors around the world, Trend Micro reports.
Active since at least 2023 and tracked as Earth Lamia, the hacking group has been targeting the financial, government, IT, logistics, retail, and education sectors, albeit focusing only on specific industries over different time periods.
Highly active, the threat actor has been observed exploiting known security defects in various public-facing assets, but mainly targeting SQL injection vulnerabilities in web applications.
Exploited flaws include CVE-2017-9805 (Apache Struts), CVE-2021-22205 (GitLab), CVE-2024-9047 (WordPress), CVE-2024-27198 and CVE-2024-27199 (TeamCity), CVE-2024-51378 and CVE-2024-51567 (CyberPanel), CVE-2024-56145 (Craft CMS), and, more recently, CVE-2025-31324 (SAP NetWeaver).
After initial access, Earth Lamia was seen dropping additional tools, deploying webshells, escalating privileges, creating administrator accounts, extracting credentials, scanning the network, setting up proxy tunnels, executing backdoors, and achieving persistence.
Additionally, the attacks would leverage SQL injection vulnerabilities to create a new ‘sysadmin123’ account on targeted SQL servers, obtaining administrative privileges to directly access and steal victim data.
The threat actor was seen using legitimate utilities, BypassBoss (a modified version of a tool originally shared on Chinese forums), open source tools, and custom loaders for sideloading malicious DLLs into security applications, to execute Cobalt Strike and Brute Ratel shellcode.
The hacking group has deployed a modular .NET backdoor dubbed Pulsepack that can load plugins from its command-and-control (C&C) server when needed. The core executable can only communicate with the C&C, but each plugin expands its capabilities.
Earth Lamia has been targeting organizations in Brazil, India, and Southeast Asia since 2023. While their aggressive operations have been mentioned in previous security reports, Trend Micro believes that it is an individual China-nexus group.
The cybersecurity firm has identified connections to REF0657, which targeted the financial services sector in South Asia in January 2024, and the STAC6451 campaign that deployed the Mimic ransomware, although Earth Lamia has not been observed using ransomware.
The hacking group also appears to be linked to the CL-STA-0048 espionage campaign detailed in January 2025, which is also linked to the Chinese threat actor DragonRank.
“Earth Lamia is conducting its operations across multiple countries and industries with aggressive intentions. At the same time, the threat actor continuously refines their attack tactics by developing custom hacking tools and new backdoors,” Trend Micro notes.
Related: Czech Government Condemns Chinese Hack on Critical Infrastructure
Related: Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks
Related:Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors
