Cybersecurity researchers are warning of increasing threat by an advanced Chinese hacking group called Earth Lamia to the world at large.
This APT group has been observed to heavily target victims in a significant number of industries in a very short period of time in mainly Brazil, India and South East Asia however, they started heavily targeting any IT companies as well as Universities, government bodies internationally.
Earth Lamia uses its known techniques of abusing web servers hosting public-facing Web applications through SQL injections among others. Once the initial intrusion is established, the group uses a range of methods for the lateral and privilege escalation, as well as the data exfiltration.
Their toolbox consists of both publicly available hacking tools, often modified to avoid detection, and custom malware, like PULSEPACK backdoor (. NET program, can also load plugins from its C&C server.
This flexibility enables the attackers to adjust their attack patterns to target systems, as well as to remain stealthy after gaining access to the system.
It has come to the attention of recent review that Earth Lamia is ever evolving in terms of tactics and arsenal. PULSEPACK backdoor variant An enhanced variant of their PULSEPACK backdoor that we first saw in March 2025 is now using WebSocket for C&C communication, indicating the current development and desire to improve stealth and functionality.
The gang has also been observed to use latest reported flaws, such as CVE-2025-31324 in SAP NetWeaver, demonstrating its willingness to integrate new attack vectors.
The transformation in Earth Lamia’s target as she progresses.. is another issue. Originally targeting finance, they later shifted to logistics and e-commerce later in 2024.
Their attention is now on IT companies, universities and government organizations, raising the possibility of an increase in espionage and data theft activities. According to cybersecurity firms, their activities have appeared in prior reports under a variety of cluster names, but there is increasing agreement among intelligence officials that “Earth Lamia” is a separate, and more serious, China-linked threat actor.
All sectors organizations are encouraged to apply the following mitigations to the maximum extent possible, including implementing and ensuring robust monitoring and logging properties are in place to identify potential compromises and determine the potential risk for harm to the system, and running through tabletop exercises to ensure they are prepared to respond in the event of an incident.
