Chinese Hackers Target Multiple Industries Across Asia with Sophisticated Multi-Vulnerability Campaign

A Chinese-affiliated cyber threat group has been conducting extensive hacking operations across Brazil, India, and Southeast Asia since 2023, exploiting multiple critical vulnerabilities to infiltrate organizations spanning various industries.

Security researchers from Trend Micro have identified this adversary as "Earth Lamia," which correlates with threat groups previously documented by other cybersecurity firms under different designations (REF0657, STAC6451, and CL-STA-0048). The group primarily focuses on exploiting SQL injection flaws in web applications to gain access to target organizations' database servers.

Attack Methods and Target Regions

The threat actors have concentrated their efforts on countries including Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Their attack methodology involves exploiting internet-facing Microsoft SQL Servers and other exposed systems to conduct initial reconnaissance before deploying sophisticated post-exploitation frameworks.

The hackers utilize a comprehensive toolkit that includes:

• Advanced penetration testing tools like Cobalt Strike and Supershell
• Privilege escalation utilities such as GodPotato and JuicyPotato
• Network reconnaissance tools including Fscan and Kscan
• Proxy tunneling software like Rakshasa and Stowaway
• System cleanup tools to erase evidence from Windows event logs

Vulnerability Arsenal

Earth Lamia has weaponized nine distinct security vulnerabilities to compromise public-facing servers, including a recently discovered critical flaw in SAP NetWeaver (CVE-2025-31324). Their exploit portfolio spans multiple platforms and applications:

• Apache Struts2 remote code execution
• GitLab remote code execution
• WordPress plugin vulnerabilities
• JetBrains TeamCity authentication and path traversal flaws
• CyberPanel remote code execution issues
• Craft CMS remote code execution

Evolving Target Profile

The group's targeting strategy has evolved significantly over time. Initially focused on financial services organizations, particularly securities and brokerage firms in early 2024, they subsequently shifted attention to logistics and e-commerce companies. Most recently, their operations have pivoted toward IT companies, educational institutions, and government entities.

Advanced Malware Capabilities

A distinguishing characteristic of Earth Lamia's operations is their use of custom backdoor malware called PULSEPACK, deployed through DLL side-loading techniques commonly employed by Chinese hacking groups. This modular .NET-based implant maintains communication with remote command-and-control servers to download additional functional plugins.

Recent analysis revealed that the group continues active development of their malware arsenal, with an updated version of PULSEPACK observed in March 2025 that transitioned from TCP to WebSocket communication protocols.

Ransomware Operations

In some attacks targeting Indian organizations, the group attempted to deploy Mimic ransomware to encrypt victim files. However, these ransomware deployment efforts were largely unsuccessful, with the malware frequently failing to execute properly and attackers often attempting to delete the ransomware binaries after unsuccessful deployment attempts.

Ongoing Threat Assessment

Cybersecurity researchers characterize Earth Lamia as a "highly active" threat actor conducting aggressive operations across multiple countries and industries. The group demonstrates continuous refinement of their attack methodologies through the development of custom hacking tools and novel backdoor variants, indicating sustained and evolving capabilities that pose ongoing risks to organizations across the targeted regions.