Cyber Defense Advisors

China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil

The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023.

“The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations,” Trend Micro security researcher Joseph C Chen said in an analysis published this week. “The actor also takes advantage of various known vulnerabilities to exploit public-facing servers.”

Some of the other prominent targets of the adversarial collective include Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.

The cybersecurity company is tracking the activity under the moniker Earth Lamia, stating the activity shares some degree of overlap with threat clusters documented by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks Unit 42 as CL-STA-0048.

Cybersecurity

Each of these attacks has targeted organizations spanning multiple sectors in South Asia, often leveraging internet-exposed Microsoft SQL Servers and other instances to conduct reconnaissance, deploy post-exploitation tools like Cobalt Strike and Supershell, and establish proxy tunnels to the victim networks using Rakshasa and Stowaway.

Also used are privilege escalation tools like GodPotato and JuicyPotato; network scanning utilities such as Fscan and Kscan; and legitimate programs like wevtutil.exe to clean Windows Application, System, and Security event logs.

Select intrusions aimed at Indian entities have also attempted to deploy Mimic ransomware binaries to encrypt victim files, although the efforts were largely unsuccessful.

“While the actors were seen staging the Mimic ransomware binaries in all observed incidents, the ransomware often did not successfully execute, and in several instances, the actors were seen attempting to delete the binaries after being deployed,” Sophos noted in an analysis published in August 2024.

Then earlier this month, EclecticIQ disclosed that CL-STA-0048 was one among the many China-nexus cyber espionage groups to exploit CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver to establish a reverse shell to infrastructure under its control.

Besides CVE-2025-31324, the hacking crew is said to have weaponized as many as eight different vulnerabilities to breach public-facing servers –

  • CVE-2017-9805 – Apache Struts2 remote code execution vulnerability
  • CVE-2021-22205 – GitLab remote code execution vulnerability
  • CVE-2024-9047 – WordPress File Upload plugin arbitrary file access vulnerability
  • CVE-2024-27198 – JetBrains TeamCity authentication bypass vulnerability
  • CVE-2024-27199 – JetBrains TeamCity path traversal vulnerability
  • CVE-2024-51378 – CyberPanel remote code execution vulnerability
  • CVE-2024-51567 – CyberPanel remote code execution vulnerability
  • CVE-2024-56145 – Craft CMS remote code execution vulnerability

Describing it as “highly active,” Trend Micro noted that the threat actor has shifted its focus from financial services to logistics and online retail, and most recently, to IT companies, universities, and government organizations.

Cybersecurity

“In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage,” the company said. “In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations.”

A noteworthy technique adopted by Earth Lamia is to launch its custom backdoors like PULSEPACK via DLL side-loading, an approach widely embraced by Chinese hacking groups. A modular .NET-based implant, PULSEPACK communicates with a remote server to retrieve various plugins to carry out its functions.

Trend Micro said it observed in March 2025 an updated version of the backdoor that changes the command-and-control (C2) communication method from TCP to WebSocket, indicating active ongoing development of the malware.

“Earth Lamia is conducting its operations across multiple countries and industries with aggressive intentions,” it concluded. “At the same time, the threat actor continuously refines their attack tactics by developing custom hacking tools and new backdoors.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 

Related Post

New Linux Flaws Allow Password Hash Theft via

Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise

Cyber News

U.S. DoJ Seizes 4 Domains Supporting Cybercrime Crypting

A multinational law enforcement operation has resulted in the takedown of an online cybercrime syndicate that offered services to threat

Cyber News

Cybercrime Just Got Easier — And That Should

Cybercrime Just Got Easier — And That Should Scare You It’s never been easier to launch a cyberattack. Forget hoodie-wearing

Cyber Thoughts

New EDDIESTEALER Malware Bypasses Chrome’s App-Bound Encryption to

A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic

Cyber News

Leave feedback about this

  • Quality
  • Price
  • Service
Choose Image