EXECUTIVE SUMMARY
Earth Lamia has been observed targeting entities across multiple regions in a sustained campaign marked by strategic shifts in focus over time. Initially, their primary method of entry has involved exploiting injection flaws in internet-facing applications to gain direct access to database servers. Alongside these injection attacks, they have leveraged various known weaknesses in publicly exposed services to establish footholds. Their operations appear to have been tailored to specific sectors in distinct phases, moving from financial services to logistics and retail, and more recently concentrating on information technology, academic institutions, and public bodies. Throughout their activities, Earth Lamia has employed a mix of publicly available exploitation frameworks—modified to evade detection—and bespoke malware components. Notably, they developed a modular backdoor, PULSEPACK, which has evolved through at least two generations, indicating continuous refinement of their command-and-control mechanisms.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Earth Lamia has been observed targeting entities across multiple regions in a sustained campaign marked by strategic shifts in focus over time. Initially, their primary method of entry has involved exploiting injection flaws in internet-facing applications to gain direct access to database servers. Alongside these injection attacks, they have leveraged various known weaknesses in publicly exposed services to establish footholds. Their operations appear to have been tailored to specific sectors in distinct phases, moving from financial services to logistics and retail, and more recently concentrating on information technology, academic institutions, and public bodies. Throughout their activities, Earth Lamia has employed a mix of publicly available exploitation frameworks—modified to evade detection—and bespoke malware components. Notably, they developed a modular backdoor, PULSEPACK, which has evolved through at least two generations, indicating continuous refinement of their command-and-control mechanisms.[emaillocker id="1283"]
In terms of exploitation and post-compromise operations, Earth Lamia performs systematic scanning of external sites to identify injection vulnerabilities, using automated utilities to open remote shells and execute database commands that grant elevated privileges. Beyond injection, they exploit remote code execution flaws and file handling weaknesses in common web platforms, chaining these initial breaches into deeper network penetration. Once inside, they deploy a variety of techniques to maintain persistence and move laterally: dropping webshells, sideloading libraries to execute payloads in memory, and abusing built-in system utilities to download additional tools. They employ credential dumping to harvest account data, escalate privileges with custom versions of public escalation exploits, and obscure their tracks by clearing event logs. Network reconnaissance is carried out using scanning tools, and proxy tunnels are established to exfiltrate data. Their customized loaders package legitimate binaries alongside encrypted payloads, enabling in-memory execution of post-exploitation implants without writing malicious files to disk.
Earth Lamia’s persistent innovation and flexible targeting strategy present a significant challenge to defenders. By continuously updating their toolsets—ranging from lightly modified open-source utilities to unique backdoor frameworks—they demonstrate an emphasis on stealth and resilience. Their use of modular plugins within their primary backdoor allows them to dynamically load only the functions needed for a particular objective, minimizing their footprint. The shift in sectors of interest over time suggests that their campaigns are intelligence-led and goal-oriented, rather than opportunistic. To mitigate such threats, it is essential to enforce rigorous vulnerability management for all public-facing applications, implement robust monitoring to detect anomalous behaviors, and employ layered defenses that can identify unusual library sideloading or encrypted in-memory payloads.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Reconnaissance | T1595 | Active Scanning |
| T1592 | Gather Victim Host Information | |
| T1590 | Gather Victim Network Information | |
| Resource Development | T1583 | Domains |
| T1587 | Malware | |
| T1608 | Upload Malware | |
| Initial Access | T1190 | Exploit Public-Facing Application |
| T1078 | Valid Accounts | |
| Execution | T1059 | PowerShell |
| Persistence | T1098 | Additional Local or Domain Groups |
| T1136 | Local Account | |
| T1053 | Scheduled Task | |
| T1505 | Web Shell | |
| Defense Evasion | T1068 | Exploitation for Privilege Escalation |
| T1140 | Deobfuscate Decode Files or Information | |
| T1574 | DLL | |
| T1562 | Disable or Modify Tools | |
| T1070 | Clear Windows Event Logs | |
| T1036 | Match Legitimate Resource Name or Location | |
| T1620 | Reflective Code Loading | |
| Credential Access | T1003 | LSASS Memory |
| Discovery | T1087 | Local Account |
| T1482 | Domain Trust Discovery | |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Collection | T1005 | Data from Local System |
| Command and Control | T1132 | Standard Encoding |
| T1573 | Symmetric Cryptography | |
| T1008 | Fallback Channels | |
| T1105 | Ingress Tool Transfer | |
| T1104 | Multi-Stage Channels | |
| T1095 | Non-Application Layer Protocol | |
| T1571 | Non-Standard Port | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
[/emaillocker]