The Chinese threatening actor, which is behind the recent exploitation of the SAP Netweaver’s critical lack of security, was associated with a broader set of attacks aimed at organizing in Brazil, India and Southeast Asia since 2023.
“Acting threats are mainly oriented – Note In an analysis published this week. “The actor will also take advantage of various well -known vulnerabilities for the exploitation of the servers facing the public.”
Some of the other known goals of the competition team include Indonesia, Malaysia, Philippines, Thailand and Vietnam.
Cybersecurity Company monitors activity under nickname Land Lamiaindicating that the activity shares a certain degree of overlapping with threats of clusters documented with elastic safety lab as Ref0657Sophos is like Stac6451and Palo Alto Networks Unit 42 as CL-0048.
Each of these attacks is aimed at organizations that cover several South Asia sectors, often using the online Microsoft SQL internet server and other specimens for exploration, deployment of tools after operation such as Cobalt Strike and Supershell, and install proxy tunnels in networks Stowaway.
Escalation tools such as Godpotato and JuicyPotato are also used; network scanning utilities such as FSCAN and KSCAN; and legitimate programs such as Wevtutil.exe for cleaning applications, systems, systems and security.
Selected invasions aimed at Indian structures, also tried to expand Imitate ransom Binary files to encrypt the victim files, though the efforts were largely unsuccessful.
“While the actors saw that mimic binary ransom files in all observed incidents, the required programs were often not successfully executed, and in several cases, the actors have noticed attempts to remove binary files after deployment,” Sophos said in a analysis in August 2024.
Then at the beginning of this month ECLECTICIQ disclosed This CL-Sta-0048 has been one of the many China-NEXUS cyber groups to use the CVE-2025-31324, a critical unauthorized vulnerability of the SAP Netwaver to install the infrastructure under control.
In addition to the CVE-2025-31324, the hacking crew is said
Describing it as a “highly active”, Trend Micro noted that the actor threatened his attention from financial services to logistics and internet, and more recently, to IT companies, universities and state organizations.
“At the beginning of 2024, until the previous day, we observed that most of their goals were financial organizations, in particular, related securities and brokerage,” the company said. “In the second half of 2024, they transferred their goals in the organization mainly in logistics and online trade industries. We recently noticed that their goals again switched to IT companies, universities and state organizations.”
A characteristic technique adopted by Earth Lamia is to launch its custom backs such as Pulsepack via Dll Side Loading, which is widely perceived by Chinese hacking groups. Modular implant based on .Net Pulsepack talks with a remote server to obtain different plugins to perform their features.
Trend Micro said it was observed in March 2025, the updated version of the back, which changes the team communication and control (C2) from TCP to WebSocket, which indicates the active development of malicious software.
“Land Lamia conducts its activity in different countries and fields with aggressive intentions,” he said. “At the same time, the actor threats constantly clarify his attack tactics, developing the setting tools for hacking and the new back.”
