A cyber-espionage group with suspected ties to China is broadening its campaign across South and Southeast Asia, exploiting Internet-facing servers that were left vulnerable despite public patches. The group, Earth Lamia, first popped up in 2023—but it’s now operating with sharper tools and a longer reach.
Their latest weapon? A critical SAP bug rated 9.8 on the CVSS scale. And they’re not being shy about using it.
Same Old Tricks, Bigger Targets
The most concerning part? They’re not doing anything novel.
Earth Lamia’s attacks lean heavily on exploiting known, often years-old vulnerabilities. They aren’t exactly rewriting the book on cyberwarfare. But they are reading it—cover to cover—and applying it with chilling precision.
Their current campaign spans multiple industries. From IT companies to educational institutions, and even government networks across Southeast Asia and India. Oddly enough, Brazil is also on their radar.
They’re after softer targets.
A Growing Arsenal Built on Open-Source Tools
After gaining access, the group uses a familiar toolkit: mostly free, open-source software. Think “sqlmap” for SQL injections, or scripts cobbled together from GitHub to pivot deeper into the compromised network.
They keep it lean and clean. Here’s how their typical playbook looks:
-
Scan for known bugs, especially in Internet-facing servers
-
Drop a web shell to gain remote access
-
Deploy open-source tools with minor obfuscations to avoid detection
-
Install their custom backdoor, PulsePack
-
Extract whatever data they can, quietly
Trend Micro says Earth Lamia has been modifying those open-source tools just enough to throw off signature-based security systems. Not a total rewrite, but enough to slip under the radar.
That’s not particularly advanced, but it’s effective. And that’s scarier.
PulsePack: Lean, Mean, and Getting an Upgrade
Introduced sometime around August last year, PulsePack is a barebones backdoor—at least at first glance.
Once installed, PulsePack reports basic system information back to a command-and-control (C2) server. What makes it dangerous is its modular nature. Earth Lamia can upload new “plugins” to infected systems based on what they want to do: steal passwords, grab documents, map out the network, or even just sit and watch.
This year, PulsePack received an update. It now uses a different C2 communication protocol, making it harder to track. Trend Micro interprets this as proof the group is still actively developing their tools.
PulsePack may look like a skeleton key, but in skilled hands, it unlocks everything.
The CVEs Earth Lamia Loves Most
Their vulnerability roster reads like a cybersecurity greatest hits album.
They’ve exploited well-known bugs, including:
| CVE ID | Software Affected | Year Disclosed | CVSS Score |
|---|---|---|---|
| CVE-2017-9805 | Apache Struts2 | 2017 | 10.0 |
| CVE-2021-22205 | GitLab | 2021 | 9.9 |
| CVE-2024-XXXX | Craft CMS, CyberPanel | 2024 | Varies |
| CVE-2025-31324 | SAP NetWeaver Composer | 2025 | 9.8 |
That last one? It’s the most recent. And it’s key to their newest exploits.
Earth Lamia has been abusing SAP NetWeaver Visual Composer’s unauthenticated file upload flaw. It’s critical, easy to automate, and, unfortunately, still unpatched in a number of Internet-facing systems across Asia.
Soft Targets and Changing Priorities
There’s a logic to Earth Lamia’s shift from finance to public sector networks. It’s not just opportunism—it’s evolution.
Jon Clay, VP of threat intelligence at Trend Micro, believes it’s partly strategic.
“Financial firms have stepped up their security posture in recent years,” he said. “But universities, logistics companies, and even small government offices? Often less so. And the kind of data Earth Lamia wants may have changed too.”
Their move into education and IT may suggest a change in motive. Could be espionage. Could be data mining. Could be groundwork for something bigger down the line.
No one knows for sure.
Still No Clear Motive, No Clear Origin
Two mysteries linger around Earth Lamia.
First: are they connected to any known APTs from China? Their methods and tools have echoes of other state-linked groups, but no smoking gun.
Second: what’s the endgame?
Clay speculates it could be state-sponsored espionage, especially given their interest in government data. But there’s no confirmation. No leak. No manifesto.
“They’re quiet,” said one analyst. “Almost too quiet.”
And that, honestly, might be the most unsettling part.
