Active since at least 2023, the hacking group has been targeting the financial, government, IT, logistics, retail, and education sectors.
May 29, 2025 By Ionut Arghire
A Chinese threat actor has been targeting known vulnerabilities in web applications to compromise organizations in various sectors around the world, Trend Micro reports.
Active since at least 2023 and tracked as Earth Lamia, the hacking group has been targeting the financial, government, IT, logistics, retail, and education sectors, albeit focusing only on specific industries over different time periods.
Highly active, the threat actor has been observed exploiting known security defects in various public-facing assets, but mainly targeting SQL injection vulnerabilities in web applications.
Exploited flaws include CVE-2017-9805 (Apache Struts), CVE-2021-22205 (GitLab), CVE-2024-9047 (WordPress), CVE-2024-27198 and CVE-2024-27199 (TeamCity), CVE-2024-51378 and CVE-2024-51567 (CyberPanel), CVE-2024-56145 (Craft CMS), and, more recently, CVE-2025-31324 (SAP NetWeaver).
After initial access, Earth Lamia was seen dropping additional tools, deploying webshells, escalating privileges, creating administrator accounts, extracting credentials, scanning the network, setting up proxy tunnels, executing backdoors, and achieving persistence.
