The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023.
“The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations,” Trend Micro security researcher Joseph C Chen said in an analysis published this week. “The actor also takes advantage of various known vulnerabilities to exploit public-facing servers.”
Some of the other prominent targets of the adversarial collective include Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.
The cybersecurity company is tracking the activity under the moniker Earth Lamia, stating the activity shares some degree of overlap with threat clusters documented by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks Unit 42 as CL-STA-0048.
Each of these attacks has targeted organizations spanning multiple sectors in South Asia, often leveraging internet-exposed Microsoft SQL Servers and other instances to conduct reconnaissance, deploy post-exploitation tools like Cobalt Strike and Supershell, and establish proxy tunnels to the victim networks using Rakshasa and Stowaway.
Also used are privilege escalation tools like GodPotato and JuicyPotato; network scanning utilities such as Fscan and Kscan; and legitimate programs like wevtutil.exe to clean Windows Application, System, and Security event logs.
Select intrusions aimed at Indian entities have also attempted to deploy Mimic ransomware binaries to encrypt victim files, although the efforts were largely unsuccessful.
“While the actors were seen staging the Mimic ransomware binaries in all observed incidents, the ransomware often did not successfully execute, and in several instances, the actors were seen attempting to delete the binaries after being deployed,” Sophos noted in an analysis published in August 2024.
Then earlier this month, EclecticIQ disclosed that CL-STA-0048 was one among the many China-nexus cyber espionage groups to exploit CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver to establish a reverse shell to infrastructure under its control.
Besides CVE-2025-31324, the hacking crew is said to have weaponized as many as eight different vulnerabilities to breach public-facing servers –
CVE-2017-9805 – Apache Struts2 remote code execution vulnerability
CVE-2021-22205 – GitLab remote code execution vulnerability
CVE-2024-9047 – WordPress File Upload plugin arbitrary file access vulnerability
CVE-2024-27198 – JetBrains TeamCity authentication bypass vulnerability
CVE-2024-27199 – JetBrains TeamCity path traversal vulnerability
CVE-2024-51378 – CyberPanel remote code execution vulnerability
CVE-2024-51567 – CyberPanel remote code execution vulnerability
CVE-2024-56145 – Craft CMS remote code execution vulnerability
Describing it as “highly active,” Trend Micro noted that the threat actor has shifted its focus from financial services to logistics and online retail, and most recently, to IT companies, universities, and government organizations.
“In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage,” the company said. “In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations.”
A noteworthy technique adopted by Earth Lamia is to launch its custom backdoors like PULSEPACK via DLL side-loading, an approach widely embraced by Chinese hacking groups. A modular .NET-based implant, PULSEPACK communicates with a remote server to retrieve various plugins to carry out its functions.
Trend Micro said it observed in March 2025 an updated version of the backdoor that changes the command-and-control (C2) communication method from TCP to WebSocket, indicating active ongoing development of the malware.
“Earth Lamia is conducting its operations across multiple countries and industries with aggressive intentions,” it concluded. “At the same time, the threat actor continuously refines their attack tactics by developing custom hacking tools and new backdoors.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
“}]] The Hacker News
