China’s Earth Lamia hacking group targets Asian institutions by exploiting server vulnerabilities and deploying sophisticated malware for cyber espionage. The group’s focus includes government, universities, and IT sectors, with an increasing emphasis on government and educational institutions. #EarthLamia #CyberEspionage
Keypoints
- Earth Lamia exploits vulnerabilities in web applications and servers, such as CVE-2025–31324, across Asia, including Indonesia.
- The group employs techniques like SQL injections, privilege escalation, proxy tunnels, and custom backdoors like PULSEPACK.
- Targets include finance, logistics, retail, government, and universities, with a shifting focus over time.
- They deploy advanced malware and weaponize vulnerabilities, especially in SAP NetWeaver, to enhance their operations.
- Indonesia is at heightened risk due to exposed public-facing servers, requiring strengthened cybersecurity measures.
China’s Earth Lamia hacking group, exploits vulnerabilities in public-facing servers across Asia, including Southeast Asia, to conduct espionage and cyberattacks. It highlights the group’s continuous development of sophisticated malware and evolving focus on sectors like government, universities, and IT.
Keypoints:
- Earth Lamia exploits vulnerabilities in web applications and servers, including CVE-2025–31324, to target sectors across Asia, including Indonesia.
- The group uses techniques such as SQL injections, privilege escalation, proxy tunnels, and custom backdoors like PULSEPACK.
- Targets include finance, logistics, retail, government, and universities, with shifting focus over time.
- The group deploys advanced malware, including evolving backdoors, and weaponizes multiple vulnerabilities, especially in SAP NetWeaver.
- Recent activity indicates increased targeting of government and educational institutions, emphasizing their ongoing operational development.
- Overlap exists between Earth Lamia’s activities and other Chinese-linked threat clusters, underscoring a broader pattern of cyber espionage.
Relationship with Indonesia and Recommendations:
- Indonesia is directly at risk due to the exposure of public-facing servers and widespread use of web applications vulnerable to these exploits.
- The Indonesian government and institutions should strengthen cybersecurity defenses by prioritizing patch management of known vulnerabilities such as CVE-2025–31324.
- Conduct regular vulnerability assessments, focusing on internet-exposed servers, especially those hosting critical infrastructure and government assets.
- Develop an incident response plan to detect and mitigate advanced persistent threats (APTs) linked to Earth Lamia tactics.
- Collaborate with international cybersecurity agencies for threat intelligence sharing and technical support.
What Indonesian Citizens Should Know and Do:
- Be aware that cyber espionage activities are targeting sectors like government and education; report any suspicious cyber activities.
- Ensure that governmental and institutional servers are promptly patched and monitored for unusual access patterns.
- Avoid opening unknown links or attachments that could be part of targeted spear-phishing aligned with these threat groups.
- Support national cybersecurity initiatives aimed at protecting sensitive infrastructure from such sophisticated attacks.