• Cyber Syrup
  • Posts
  • Earth Lamia: China-Linked Threat Actor Expands Global Espionage and Exploitation Operations

Earth Lamia: China-Linked Threat Actor Expands Global Espionage and Exploitation Operations

A China-linked cyber threat group, tracked as Earth Lamia, has been identified as the actor behind a broad set of sophisticated cyberattacks

May 31, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Try Artisan’s All-in-one Outbound Sales Platform & AI BDR

Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:

  • 300M+ High-Quality B2B Prospects, including E-Commerce and Local Business Leads

  • Automated Lead Enrichment With 10+ Data Sources

  • Full Email Deliverability Management

  • Multi-Channel Outreach Across Email & LinkedIn

  • Human-Level Personalization

Earth Lamia: China-Linked Threat Actor Expands Global Espionage and Exploitation Operations

A China-linked cyber threat group, tracked as Earth Lamia, has been identified as the actor behind a broad set of sophisticated cyberattacks, including the recent in-the-wild exploitation of a critical vulnerability in SAP NetWeaver (CVE-2025-31324). The group has been active since 2023, primarily targeting organizations across Brazil, India, Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.

Cybersecurity researchers at Trend Micro have released an analysis detailing Earth Lamia’s techniques, evolving targets, and malware infrastructure, positioning the group as a persistent and highly active threat across both public and private sectors.

Attack Vectors and Tactics

Earth Lamia employs a multi-pronged exploitation strategy, primarily focusing on SQL injection vulnerabilities and other known exploits in public-facing servers. Once access is gained, the group leverages a post-exploitation toolkit including:

  • Reconnaissance Tools: Fscan, Kscan

  • Privilege Escalation Utilities: GodPotato, JuicyPotato

  • Remote Access Frameworks: Cobalt Strike, Supershell

  • Proxy Tunneling Tools: Rakshasa, Stowaway

  • Log Cleanup Utilities: wevtutil.exe for deleting Windows event logs

These tools enable lateral movement, persistence, and cover tracks within compromised networks.

Targets and Shifting Priorities

Earth Lamia’s focus has evolved significantly over time:

  • Early 2024 and Prior: Primary focus on financial services, especially securities and brokerage firms

  • Mid-to-Late 2024: Shift to logistics and online retail industries

  • 2025: Recent targeting includes IT companies, universities, and government entities

This dynamic targeting pattern suggests a strategic approach that adapts to both geopolitical priorities and opportunities for exploitation.

Tools and Malware Arsenal

A key tool in Earth Lamia’s arsenal is PULSEPACK, a custom, .NET-based modular backdoor that supports plugin-based functionality. The group is known to deploy PULSEPACK via DLL side-loading, a stealthy method that is consistent with techniques used by other Chinese APTs.

In March 2025, researchers observed a new version of PULSEPACK that shifts its command-and-control (C2) communication method from TCP to WebSocket, indicating active development and adaptation to evade network detection tools.

Notable Malware and Failed Ransomware Attempts

Some attacks, particularly those aimed at Indian organizations, involved attempts to deploy the Mimic ransomware. However, these attempts were largely unsuccessful. In many cases, attackers:

  • Staged the ransomware binaries

  • Failed to execute them properly

  • Attempted to delete the binaries post-deployment

This suggests that Earth Lamia may use ransomware as a secondary tool, potentially for distraction or extortion.

Exploited Vulnerabilities

Earth Lamia has weaponized a broad range of vulnerabilities across diverse software platforms. These include:

  • CVE-2025-31324 – SAP NetWeaver (unauthenticated file upload, remote shell)

  • CVE-2017-9805 – Apache Struts2 (RCE)

  • CVE-2021-22205 – GitLab (RCE)

  • CVE-2024-9047 – WordPress File Upload Plugin (file access)

  • CVE-2024-27198, CVE-2024-27199 – JetBrains TeamCity (auth bypass & path traversal)

  • CVE-2024-51378, CVE-2024-51567 – CyberPanel (RCE)

  • CVE-2024-56145 – Craft CMS (RCE)

By maintaining a wide-ranging exploit arsenal, Earth Lamia ensures flexibility in targeting diverse infrastructure across industries and regions.

Connections to Other Threat Clusters

Trend Micro notes that Earth Lamia shows behavioral overlaps with other threat clusters tracked as:

  • REF0657 (Elastic Security Labs)

  • STAC6451 (Sophos)

  • CL-STA-0048 (Palo Alto Networks)

These threat clusters have similarly targeted South Asia using exposed SQL Servers and similar post-exploitation tools.

Conclusion

Earth Lamia exemplifies the modern threat landscape in which state-linked actors adapt rapidly, exploit public infrastructure, and repurpose existing tools for espionage, disruption, and data theft. The group’s ability to pivot across industries and geographies, combined with its use of custom malware like PULSEPACK, indicates a high degree of operational maturity.

Organizations, particularly in IT, government, education, and financial services, should prioritize:

  • Patching known vulnerabilities

  • Restricting public-facing services

  • Monitoring for unusual network traffic and WebSocket usage

  • Implementing endpoint detection and response (EDR) tools

As Earth Lamia continues to evolve, timely threat intelligence and proactive defense remain critical.