China-Linked Threat Actors Target SAP and SQL Server Vulnerabilities in Operations Across Asia and Brazil

The recent exploitation of a critical security vulnerability in SAP NetWeaver has been linked to a state-sponsored threat actor based in China, which has extended its attack campaign to encompass organizations in Brazil, India, and Southeast Asia since the beginning of 2023.

This threat actor primarily targets SQL injection vulnerabilities in web applications, enabling access to the SQL servers of affected organizations. In addition, they exploit a variety of known vulnerabilities to attack public-facing servers. Notable targets have included countries such as Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.

The cybersecurity community is monitoring this threat activity under the designation Earth Lamia. This group exhibits similarities with other threat clusters documented by Elastic Security Labs, Sophos, and Palo Alto Networks Unit 42.

The attacks executed by this collective have been extensive, affecting various sectors across South Asia. They often use exposed Microsoft SQL Servers to conduct reconnaissance, deploy post-exploitation tools such as Cobalt Strike and Supershell, and create proxy tunnels into victim networks using tools like Rakshasa and Stowaway. Other techniques include employing privilege escalation tools such as GodPotato and JuicyPotato, utilizing network scanning utilities like Fscan and Kscan, and leveraging legitimate programs like wevtutil.exe to erase event logs from Windows systems.

Some incursions targeting Indian entities have attempted to deploy Mimic ransomware binaries to encrypt files belonging to victims; however, these efforts have frequently been thwarted. Observations indicate that while staging of the ransomware binaries was noted in various incidents, successful execution was often not achieved, with attempts to delete the binaries post-deployment.

Earlier this month, EclecticIQ disclosed that CL-STA-0048 was among several China-linked cyber espionage groups exploiting CVE-2025-31324, a serious unauthenticated file upload vulnerability in SAP NetWeaver, to create reverse shell access to systems under their control.

In addition to leveraging CVE-2025-31324, the group has weaponized several other vulnerabilities to infiltrate public-facing servers, including but not limited to:

– CVE-2017-9805: Apache Struts2 remote code execution vulnerability
– CVE-2021-22205: GitLab remote code execution vulnerability
– CVE-2024-9047: WordPress File Upload plugin arbitrary file access vulnerability
– CVE-2024-27198: JetBrains TeamCity authentication bypass vulnerability
– CVE-2024-27199: JetBrains TeamCity path traversal vulnerability
– CVE-2024-51378: CyberPanel remote code execution vulnerability
– CVE-2024-51567: CyberPanel remote code execution vulnerability
– CVE-2024-56145: Craft CMS remote code execution vulnerability

Trend Micro characterized this threat actor as highly active, noting a shift in focus from financial services to logistics and online retail, and more recently targeting IT companies, educational institutions, and government agencies.

Initially, in early 2024, most targets were organizations within the financial sector, particularly those linked to securities and brokerage firms. However, by the latter half of 2024, the threat actor pivoted its attention to logistics and retail, and now appears to be honing in on IT and academic sectors, as well as government entities.

A notable technique employed by Earth Lamia involves the deployment of custom backdoors such as PULSEPACK through DLL side-loading, a method frequently utilized by Chinese hacking groups. PULSEPACK is a modular .NET-based implant capable of communicating with a remote server to retrieve plugins for executing various tasks.

In March 2025, an updated variant of this backdoor was identified, which altered the command-and-control communication method from TCP to WebSocket, indicative of the ongoing evolution and refinement of their malware capabilities.

In summary, Earth Lamia is executing its operations across numerous countries and industries with aggressive objectives, continually evolving and enhancing their attack methodologies through the development of custom hacking tools and new backdoors.