Ethical Hacking News
A China-linked threat actor has been exploiting critical security flaws in SAP NetWeaver and SQL Server to launch a series of attacks across Asia and Brazil. The attacks have targeted organizations in various sectors, including finance, logistics, online retail, IT companies, universities, and government institutions. Trend Micro has observed the use of custom backdoors like PULSEPACK via DLL side-loading by the threat actor, indicating active ongoing development of the malware. As the threat actor continues to refine its attack tactics, it is essential for organizations to stay informed about the latest vulnerabilities and attack vectors to protect themselves against such attacks.
Earth Lamia is a China-linked threat actor exploiting critical security flaws in SAP NetWeaver and SQL Server. The attacks have targeted various sectors, including finance, logistics, online retail, IT companies, universities, and government institutions since 2023. The attackers mainly target SQL injection vulnerabilities to access SQL servers and exploit public-facing servers. Earth Lamia has shifted its focus from financial services to logistics and online retail, and recently targeted IT companies, universities, and government organizations. The threat actor uses custom backdoors like PULSEPACK via DLL side-loading and various known vulnerabilities to carry out attacks. The attacks have been linked to the exploitation of multiple vulnerabilities, including CVE-2025-31324 and others. Earth Lamia continuously refines its attack tactics by developing custom hacking tools and new backdoors.
THN has been tracking a highly active China-linked threat actor, dubbed Earth Lamia, which has been exploiting critical security flaws in SAP NetWeaver and SQL Server to launch a series of attacks across Asia and Brazil. The attacks, which have been ongoing since 2023, have targeted organizations in various sectors, including finance, logistics, online retail, IT companies, universities, and government institutions.
According to Trend Micro security researcher Joseph C Chen, the threat actor mainly targets SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The attackers also take advantage of various known vulnerabilities to exploit public-facing servers. The attacks have been characterized by the use of custom backdoors like PULSEPACK via DLL side-loading, an approach widely adopted by Chinese hacking groups.
In early 2024 and prior, Earth Lamia's targets were mainly organizations within the financial industry, specifically related to securities and brokerage. However, in the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, they have targeted IT companies, universities, and government organizations.
The threat actor has been observed conducting its operations across multiple countries and industries with aggressive intentions. The attacks have also been characterized by the use of various tools, including privilege escalation tools like GodPotato and JuicyPotato; network scanning utilities such as Fscan and Kscan; and legitimate programs like wevtutil.exe to clean Windows Application, System, and Security event logs.
The attackers have also attempted to deploy Mimic ransomware binaries to encrypt victim files, although the efforts were largely unsuccessful. In some instances, the actors were seen attempting to delete the binaries after being deployed. Sophos noted in an analysis published in August 2024 that while the actors were seen staging the Mimic ransomware binaries in all observed incidents, the ransomware often did not successfully execute.
The attacks have also been linked to the exploitation of multiple vulnerabilities, including CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver. Besides CVE-2025-31324, the hacking crew is said to have weaponized as many as eight different vulnerabilities to breach public-facing servers, including CVE-2017-9805 - Apache Struts2 remote code execution vulnerability; CVE-2021-22205 - GitLab remote code execution vulnerability; and CVE-2024-9047 - WordPress File Upload plugin arbitrary file access vulnerability.
Earth Lamia's use of custom backdoors like PULSEPACK via DLL side-loading is a notable technique adopted by the threat actor. The modular .NET-based implant, PULSEPACK communicates with a remote server to retrieve various plugins to carry out its functions. An updated version of the backdoor observed in March 2025 changes the command-and-control (C2) communication method from TCP to WebSocket, indicating active ongoing development of the malware.
The threat actor has been highly active and has shifted its focus from financial services to logistics and online retail, and most recently, to IT companies, universities, and government organizations. According to Trend Micro, Earth Lamia is conducting its operations across multiple countries and industries with aggressive intentions. At the same time, the threat actor continuously refines their attack tactics by developing custom hacking tools and new backdoors.
In conclusion, the recent attacks attributed to the China-linked threat actor Earth Lamia have highlighted the importance of vigilance in the face of sophisticated cyber threats. As the threat landscape continues to evolve, it is essential for organizations to stay informed about the latest vulnerabilities and attack vectors to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/China-Linked-Hackers-Exploit-SAP-and-SQL-Server-Flaws-to-Launch-Global-Attacks-Across-Asia-and-Brazil-ehn.shtml
https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html
https://cyber.vumetric.com/security-news/2025/05/30/china-linked-hackers-exploit-sap-and-sql-server-flaws-in-attacks-across-asia-and-brazil/
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://www.cvedetails.com/cve/CVE-2025-31324/
https://nvd.nist.gov/vuln/detail/CVE-2017-9805
https://www.cvedetails.com/cve/CVE-2017-9805/
https://nvd.nist.gov/vuln/detail/CVE-2021-22205
https://www.cvedetails.com/cve/CVE-2021-22205/
https://nvd.nist.gov/vuln/detail/CVE-2024-9047
https://www.cvedetails.com/cve/CVE-2024-9047/
Published: Fri May 30 07:34:44 2025 by llama3.2 3B Q4_K_M
