Earth Lamia Develops Custom Arsenal to Target Multiple Industries

www.trendmicro.com · Joseph C Chen · 10 months ago · research
quality 7/10 · good
0 net
Tags
custom-arsenal targeting
Entities
CVE-2017-9805 CVE-2021-22205 CVE-2024-27198 CVE-2024-51378 CVE-2024-51567 CVE-2024-56145 CVE-2024-9047 CVE-2025-31324
Earth Lamia Develops Custom Arsenal to Target Multiple Industries | Trend Micro (US) arrow_back search close Content has been added to your Folio Go to Folio ( 0 ) close APT & Targeted Attacks Earth Lamia Develops Custom Arsenal to Target Multiple Industries Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations. By: Joseph C Chen May 27, 2025 Read time: ( words) Save to Folio Summary Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration. Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss. Earth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially focused on financial services, the group shifted to logistics and online retail, most recently focusing on IT companies, universities, and government organizations. Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One also provides hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Earth Lamia. Introduction We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657 , STAC6451 , and CL-STA-0048 . Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia. Earth Lamia is highly active, but our observation found that its targets have shifted over different time periods. They targeted many organizations but focused only on a few specific industries during each time period. In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage. In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations. Figure 1. Map of targeted countries download Earth Lamia continuously develops customized hacking tools and backdoors to improve their operations. While the actor highly leverages open-source hacking tools to conduct their attacks, they also customized these hacking tools to reduce the risk of being detected by security software. We also discovered they have developed a previously unseen backdoor, which we named PULSEPACK. The first version of PULSEPACK was identified in Earth Lamia's attacks during August 2024. In 2025, we found an upgraded version of PULSEPACK, which uses a different protocol for C&C communication, showing they are actively developing this backdoor. In this report, we will reveal the details of Earth Lamia’s operations and share the analysis of their customized hacking tools and backdoors. Initial access and post-exploitation TTPs We found that Earth Lamia frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities on the targets' websites. With an identified vulnerability, the actor tried to open a system shell through it to gain remote access to the victims' SQL servers. We suspect they are likely using tools like "sqlmap" to carry out these attacks against their targets. Besides the SQL injection attempts, our telemetry shows the actor also exploited the following vulnerabilities on different public-facing servers: CVE-2017-9805 : Apache Struts2 remote code execution vulnerability CVE-2021-22205 : GitLab remote code execution vulnerability CVE-2024-9047 : WordPress File Upload plugin arbitrary file access vulnerability CVE-2024-27198 : JetBrains TeamCity authentication bypass vulnerability CVE-2024-51378 : CyberPanel remote code execution vulnerability CVE-2024-51567 : CyberPanel remote code execution vulnerability CVE-2024-56145 : Craft CMS remote code execution vulnerability More recently, Earth Lamia also exploited CVE-2025-31324 (SAP NetWeaver Visual Composer unauthenticated file upload vulnerability). The report mentioned two of attackers’ IP addresses, 43[.]247[.]135[.]53 and 103[.]30[.]76[.]206, which we clustered as Earth Lamia’s infrastructure. (We discuss these details in the Attribution section.) After a successful exploitation of vulnerabilities to gain access to a server, we observed the following general lateral movement activities within the victims' network: Using "certutil.exe" or “powershell.exe” to download additional tools from the attacker’s machine Deploying webshells to website applications Performing privilege escalation using tools such as " GodPotato " and " JuicyPotato " Scanning the network using tools like " Fscan " and " Kscan " Creating a user account named "helpdesk" and adding it to the administrators' local group Obtaining credentials by dumping the LSASS memory or extracting the SAM hive and the SYSTEM hive from the Windows Registry Cleaning Windows Application, System and Security event logs with “wevtutil.exe” Collecting domain controller information with “nltest.exe” and “net.exe” Establishing proxy tunnels to the Victims' network with tools such as " rakshasa " and " Stowaway " Executing backdoors generated from the command-and-control frameworks, including "Vshell", "Cobalt Strike", and "Brute Ratel" Using “schtasks.exe” to persist the backdoor execution We also noticed the threat actor used SQL injection vulnerabilities to execute the following commands. The commands create a new account "sysadmin123" with administrator permissions on the targeted SQL servers. It allows the actor to directly access and exfiltrate victim databases. CREATE LOGIN sysadmin123 WITH PASSWORD = 'qwe123QWE'; ALTER SERVER ROLE sysadmin ADD MEMBER sysadmin123; Customized hacking tools Earth Lamia often modifies open-source hacking tools for its own use. They remove unnecessary static strings from the hacking tools, such as help or debug messages. Some essential static strings are also obfuscated. These customizations are aimed at reducing the chances of detection by security software. For example, we identified a privilege escalation tool that was named "BypassBoss" in the PDB string. This tool was used multiple times in different incidents by Earth Lamia. After our analysis, we found that this tool is a modified version of "Sharp4PrinterNotifyPotato", whose original source code was shared on a Chinese forum. Figure 2. Code comparison between “BypassBoss” (left) and "Sharp4PrinterNotifyPotato" (right) download In addition, we found that Earth Lamia packages its hacking tools into DLL files to launch them via DLL sideloading . Our telemetry data showed multiple times that the actor executed a legitimate executable “AppLaunch.exe” (Microsoft .NET ClickOnce Launch Utility) with suspicious arguments. In one case, we observed that the arguments are similar to those used by “Mimikatz”. C:\Users\Public\Downloads\AppLaunch.exe "log C:\Users\Public\Downloads\res.txt" "privilege::debug" "sekurlsa::logonpasswords" "exit" Later, we were able to collect one of their DLL samples. The DLL file (SHA256: 1d0b246f8d43442ea0eaecde5cfa7fcd8139a9ba93496cd82a8ac056f7393bcf) was named "mscoree.dll," which is one of the libraries loaded by "AppLaunch.exe". We found the actor packaged an entire binary of "JuicyPotato" into the DLL file with " VOIDMAW ”, an open-source tool to package malicious code to bypass memory scanners. This allows the actor to execute their hacking tools in memory inside the process of a legitimate executable. We believe the actor employs these or similar approaches to launch their hacking tools with DLL sideloading. Besides that, Earth Lamia also created their backdoor loaders by adopting DLL sideloading. Interestingly, the actor prefers to use the legitimate binaries provided by security vendors to sideload their malicious DLL files. Figure 3. DLL sideloading flows to launch backdoors download Other researchers had found that one of the earlier versions of their loaders was a modification of the open-source project “ MemoryEvasion ” to load malicious Base64-encoded shellcode. We discovered an extended version of their Cobalt Strike loaders, which use the RC4 encryption to protect the malicious shellcode. From an example we found in their sideloading samples, the payload file “readme.txt” has the first 128 bytes used to produce the RC4 key, and the rest of the data is the RC4-encrypted shellcode. After launching with a legitimate binary, the DLL sideloading loader reads data from the payload file. It duplicates the 128-byte key twice to restore the 256-byte RC4 key. It then uses the restored key to decrypt the rest of the data and has the original Cobalt Strike shellcode execute in memory. Figure 4. The encrypted payload file to encapsulate the shellcode download We also found another DLL sideloading loader used by Earth Lamia to execute Brute Ratel shellcode. This loader uses AES instead. The loader has the pre-configured AES 256-byte key and initial vectors embedded in the binary. Although the loader does not directly use the embedded key for decryption, it computes the hash of the 256-byte key using SHA256, resulting in a hash that is also 256 bytes in size. The hash value is the key to decrypt the encrypted shellcode stored in the payload file “VCRUNTIME140C.dll”. Figure 5. The decryption routine to restore shellcode from an AES-encrypted file download Analysis of the PULSEPACK backdoor In August 2024, we noticed Earth Lamia started using a previously unseen backdoor, which we named PULSEPACK. PULSEPACK is a modular .NET backdoor designed with a simple primary executable that only includes necessary capabilities for command-and-control (C&C) communication. Each malicious function is developed as a separate plugin. The plugins will only be loaded from the C&C server when needed. In the first version of PULSEPACK that we discovered, it contained the following configuration information embedded within the executable: The IP address and the port number of the default C&C server The URL to get an updated C&C IP address and port number pair The AES key and the AES IV value to encrypt the communication At the beginning, PULSEPACK checks the configured URL to get the address of the C&C server. If the value of the URL is empty or it fails to retrieve the C&C address from the URL, the backdoor will connect to the default C&C server with a TCP socket. Once the TCP socket is connected, the backdoor decodes an embedded data to restore a core DLL file and execute it in memory with the “ Assembly.Load ” approach. The core DLL handles the C&C commands and launches plugins delivered from the C&C server. Initially, it sends the victim’s information to the C&C server, including: System version and username The backdoor process name and process privilege Installed antivirus software A hash value calculated with the system and the hardware information Figure 6. The function to collect the information of the infected machine download It then waits for the C&C server to deliver the plugins, which are then executed. The delivered plugins are Base64-encoded and compressed into the ZIP format. The core DLL restores the plugins from the delivered data and launches them with the “ Assembly.Load ” approach. The core DLL launches the plugins from a function named "Run" as the entry point. PULSEPACK encrypts the execution result with the AES algorithm before sending it to the C&C server. Since March 2025, we found Earth Lamia deployed a new version of PULSEPACK. It changes the protocol of C&C communication from a TCP socket to a WebSocket. In addition, the new PULSEPACK also becomes smaller as they separated the core DLL from the backdoor and made it a plugin that will be loaded from the C&C server. Once the backdoor connects to the C&C server, the server sends a message appended with a random UUID as the victim ID. The values are concatenated with a number sign “#”. IsWindows#{UUID} The backdoor responds with a message composed of the given UUID and a tag string embedded in the backdoor. IsWindowsReturnMessageParam#{UUID}#{Tag} Then, it delivers the first plugin called "InitStart.dll," which collects the same information about the infected machine as the original core DLL. After these initialization steps, the backdoor waits for the plugins issued from the C&C server to execute. GetWinDowsMessage#{UUID}#{C&C URL}#{Plugin (Base64 encoded)}#{Function name} Figure 7. PULSEPACK C&C traffic communicating on WebSocket download We also noticed a PULSEPACK sample which loaded a plugin DLL called " TKRun.dll ”, which is used for persisting the execution of the backdoor by creating a scheduled task to launch the executable after a system reboot. Unfortunately, we couldn’t discover additional plugins used by PULSEPACK. Our telemetry data shows that the backdoor process can drop files and create a subprocess called "cmd.exe" to execute commands on the victims' machines. This suggests that more plugins could exist for the file drop or remote shell access purposes. Figure 8. The "TKRun" plugin creates a new task to launch the backdoor process download Attribution In January 2024, an intrusion set identified as REF0657 targeted the financial services sector in South Asia. We believe these are also activities of Earth Lamia. Our telemetry data also shows Earth Lamia targeted Indian financial organizations during 2023 and early 2024. Many of the mentioned attack tactics and hacking tools in this report and those used by Earth Lamia are identical. In addition, we found a Cobalt Strike sample used by Earth Lamia connects to a C&C domain "chrome-online[.]site". The domain certificate of "chrome-online[.]site" was found to be adopted on "149[.]104[.]23[.]176," which has been reported as the IP address used by REF0657. In August 2024, a report on a Mimic ransomware campaign tracked as STAC6451 was published. The report noted that some attack tactics are linked to REF0657. This report mentioned the following activities, which were likely from Earth Lamia: The username “helpdesk” and password “P@ssw0rd” pair created during the attack The use of the hacking tool "Sophosx64.exe," which is the "GodPotato" tool. We also found the same tool with the same filename used in Earth Lamia's attack. The Cobalt Strike loader "USERENV.dll" developed with the open-source project "MemoryEvasion", which is the same as we mentioned above, is used by Earth Lamia. Some of the attack tactics mentioned in the STAC6451 report are very different from those of Earth Lamia. We believe the report of STAC6451 may include the activities from two different intrusion sets. During our research, we didn't see Earth Lamia use any ransomware. It could be that Earth Lamia collaborated with the Mimic ransomware campaign before, or they just happened to infect the same victims, as both targeted SQL servers in India. In January 2025, a research team reported an espionage operation they tracked as CL-STA-0048 . They found connections between this campaign, the Chinese threat actor “ DragonRank ”, and REF0657, which is Earth Lamia. We found the following activities mentioned in the report were likely from Earth Lamia: The behavior to download files from 206[.]237[.]0[.]49 which was used by Earth Lamia The use of the legitimate binary “AppLaunch.exe” to sideload Cobalt Strike and hacking tools Our research currently tracks "DragonRank" and Earth Lamia as two different intrusion sets. We haven't seen evidence that these two intrusion sets are linked or collaborated. However, we cannot rule out this possibility. In May 2025, researchers shared their observations on multiple China-nexus APT campaigns targeting CVE-2025-31324. One of the mentioned campaigns used the IP address 43[.]247[.]135[.]53, which is associated with a Cobalt Strike C&C domain “sentinelones[.]com”. The C&C domain has been attributed to CL-STA-0048. We believe part of CL-STA-0048’s activities are from Earth Lamia’s operation. However, we have only a medium confidence to attribute the IP address 43[.]247[.]135[.]53 and the exploitation behavior to Earth Lamia as there’s already a time gap between the periods when the IP address was in use during 2024 and 2025. The same report attributes another IP address 103[.]30[.]76[.]206 to an intrusion set UNC5174 as the VShell C&C server. Our research shows this IP address is currently used by Earth Lamia instead of UNC5174 with high confidence. We also found a VShell sample (SHA256: bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7), which communicates with this IP address. This sample is similar to the other samples used by Earth Lamia: First, the identified VShell sample is packaged as a DLL loader with the same packaging approach using VOIDMAW we mentioned Second, the identified VShell sample has a same PDB string “C:\Users\qweqw\Downloads\Voidmaw-master\Voidmaw-master\x64\Debug\Dll1.pdb” that we also found in the other samples used by Earth Lamia The original attribution to UNC5174 is based on the fact that the attacks delivered a VShell stager called SNOWLIGHT. The stager has been reported to be used by UNC5174. However, this may not be reliable because SNOWLIGHT is also one of default stagers in the VShell framework. Anyone using the framework could generate the stager to load their VShell backdoor. Figure 9. Screenshot of the VShell management panel to generate the SNOWLIGHT stager download Conclusion Earth Lamia is conducting its operations across multiple countries and industries with aggressive intentions. At the same time, the threat actor continuously refines their attack tactics by developing custom hacking tools and new backdoors. They primarily target their victims via vulnerable websites, SQL servers, and systems publicly facing the Internet. To go against these threats, organizations must regularly update and patch their systems to prevent attackers from gaining initial access. Monitoring is essential to detect unusual activities. Adopting proactive security solutions that integrate robust prevention, detection, and response capabilities will help organizations significantly strengthen their defenses. Proactive security with Trend Vision One™ Trend Vision One ™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation. Trend Micro™ Threat Intelligence To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors. Threat Insights Emerging Threats: Earth Lamia Develops Custom Arsenal to Target Multiple Industries Threat Actor: Earth Lamia Trend Vision One Intelligence Reports (IOC Sweeping) Earth Lamia Develops Custom Arsenal to Target Multiple Industries Hunting Queries Trend Vision One Search App Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment. Backdoor C&C servers of Earth Lamia eventSubId: 204 AND (dst: 154.211.89.5 OR dst: 185.238.251.38 OR dst: 206.237.2.40 OR dst: 206.237.5.19 OR dst: 206.238.179.172 OR dst: 206.238.199.21) More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled . MITRE ATT&CK techniques Tactic Technique ID Reconnaissance Active Scanning: Scanning IP Blocks T1595.001 Active Scanning: Vulnerability Scanning T1595.002 Gather Victim Host Information T1592 Gather Victim Network Information T1590 Resource Development Acquire Infrastructure: Domains T1583.001 Acquire Infrastructure: Virtual Private Server T1583.003 Develop Capabilities: Malware T1587.001 Stage Capabilities: Upload Malware T1608.001 Stage Capabilities: Upload Tool T1608.002 Initial Access Exploit Public-Facing Application T1190 Valid Accounts T1078 Execution Command and Scripting Interpreter: PowerShell T1059.001 Command and Scripting Interpreter: Windows Command Shell T1059.003 Persistence Account Manipulation: Additional Local or Domain Groups T1098.007 Create Account: Local Account T1136.001 Scheduled Task/Job: Scheduled Task T1053.005 Server Software Component: Web Shell T1505.003 Defense Evasion Exploitation for Privilege Escalation T1068 Valid Accounts: Local Accounts T1078.003 Deobfuscate/Decode Files or Information T1140 Hijack Execution Flow: DLL T1574.001 Impair Defenses: Disable or Modify Tools T1562.001 Indicator Removal: Clear Windows Event Logs T1070.001 Masquerading: Match Legitimate Resource Name or Location T1036.005 Reflective Code Loading T1620 Credential Access OS Credential Dumping: LSASS Memory T1003.001 OS Credential Dumping: Security Account Manager T1003.002 Discovery Account Discovery: Local Account T1087.001 Account Discovery: Domain Account T1087.002 Domain Trust Discovery T1482 Lateral Movement Lateral Tool Transfer T1570 Collection Data from Local System T1005 Command and Control Data Encoding: Standard Encoding T1132.001 Encrypted Channel: Symmetric Cryptography T1573.001 Fallback Channels T1008 Ingress Tool Transfer T1105 Multi-Stage Channels T1104 Non-Application Layer Protocol T1095 Non-Standard Port T1571 Exfiltration Exfiltration Over C2 Channel T1041 Indicators of Compromise (IOCs) Indicators of compromise related to this campaign may be found here . Tags APT & Targeted Attacks | Endpoints | Research | Articles, News, Reports Authors Joseph C Chen Threat Researcher Contact Us Related Articles Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads See all articles Trend Vision One™ - Proactive Security Starts Here. Resources Blog Newsroom Threat Reports Find a Partner Support Business Support Portal Contact Us Downloads Free Trials About Trend About Us Careers Locations Upcoming Events Trust Center Country Headquarters Trend Micro - United States (US) 225 East John Carpenter Freeway Suite 1500 Irving, Texas 75062 Phone: +1 (817) 569-8900 --> --> --> Select a language expand_more close English English (US) English (UK) Español (ESP) Español (MEX) Deutsch Italiano Français 中文 (台灣) 中文 (香港) 日本語 한국어 (Korean) Русский (Asia) Português عربي Polski Türkçe Experience our enterprise cybersecurity platform for free Claim your 30-day trial Privacy Legal Accessibility Terms of Use Sitemap Copyright ©2026 Trend Micro Incorporated. All rights reserved. sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
← Back to stories