A cyber-espionage group known as Earth Lamia, with suspected links to China, is expanding its hacking operations across South and Southeast Asia. The group is targeting internet-facing servers by exploiting known security flaws that organizations have failed to patch. Their campaign now affects government, education, and IT sectors, leveraging a mix of open-source tools and a custom backdoor to steal data.
A Strategy Built on Old Vulnerabilities
The most alarming aspect of Earth Lamia’s campaign is not its sophistication, but its simplicity. The group is not developing groundbreaking new attack methods. Instead, they are meticulously using well-documented vulnerabilities, some of which are years old, to breach networks with chilling efficiency.
Their strategy focuses on finding the path of least resistance. By targeting servers with publicly known and often patched vulnerabilities, they rely on poor security hygiene among their targets. This approach has proven highly effective, allowing them to compromise a wide range of industries, including IT companies, universities, and government agencies across Southeast Asia, India, and even as far as Brazil.
This method highlights a critical weakness in cybersecurity: the gap between when a patch is released and when it is actually applied. Earth Lamia thrives in this window of opportunity.
The Hacker’s Playbook and Toolkit
After identifying a vulnerable target, Earth Lamia follows a consistent and effective playbook. Their process is lean, designed for stealth, and relies heavily on freely available software to minimize their digital footprint.
Analysts at Trend Micro have outlined their typical attack sequence:
- Scan networks for known vulnerabilities, especially on servers exposed to the internet.
- Use the vulnerability to drop a web shell, which gives them remote control over the server.
- Deploy common open-source tools, such as “sqlmap” for database attacks, with slight changes to avoid being detected by security software.
- Install their custom backdoor, known as PulsePack, to maintain persistent access.
- Quietly search for and extract valuable data from the compromised network.
The group modifies these open-source tools just enough to bypass signature-based detection systems. While not a highly advanced technique, its success proves that even minor tweaks can be enough to fool standard security measures.
PulsePack The Modular Backdoor
At the core of Earth Lamia’s operations is their custom malware, PulsePack. First observed in August of the previous year, it appears simple on the surface. Once installed, it sends basic system information to a command-and-control (C2) server operated by the hackers.
However, its true power lies in its modular design. PulsePack acts like a skeleton key, allowing Earth Lamia to upload new plugins to an infected system on demand. These plugins can be tailored for specific tasks, such as stealing passwords, collecting documents, mapping the internal network, or simply monitoring user activity.
Recently, PulsePack received an update that changed its C2 communication protocol, making it more difficult for security researchers to track. This continuous development shows that Earth Lamia is an active and evolving threat.
A Look at Their Favorite Vulnerabilities
Earth Lamia’s choice of vulnerabilities reads like a list of cybersecurity’s biggest failures. They consistently target critical bugs that give them easy access to systems if left unpatched.
| CVE ID | Software Affected | Year Disclosed | CVSS Score |
| CVE-2017-9805 | Apache Struts2 | 2017 | 10.0 |
| CVE-2021-22205 | GitLab | 2021 | 9.9 |
| Various 2024 Flaws | Craft CMS, CyberPanel | 2024 | Varies |
| Critical SAP Flaw | SAP NetWeaver Composer | Recent | 9.8 |
The most recent addition to their arsenal is a critical flaw in SAP NetWeaver Visual Composer. This vulnerability allows an unauthenticated attacker to upload files, is easy to automate, and has been central to their latest wave of attacks on Asian servers.
Shifting Focus to Softer Targets
The group’s recent pivot from financial institutions to the public sector and IT companies suggests a deliberate change in strategy. According to Jon Clay, VP of threat intelligence at Trend Micro, this shift is likely driven by both opportunity and a change in objectives.
“Financial firms have stepped up their security posture in recent years,” Clay stated. “But universities, logistics companies, and even small government offices? Often less so.”
This move may indicate that Earth Lamia’s goals have evolved. Their interest in government and educational data could point towards state-sponsored espionage, intelligence gathering, or preparation for a larger future operation. However, with no clear claims of responsibility or leaked data, their ultimate motive remains a mystery.
