A China-linked hacking group known as Earth Lamia has widened its global cyber campaign, using a critical SAP NetWeaver flaw to breach targets across Brazil, India, and Southeast Asia.
But the real story sits beneath the surface—where overlapping threat clusters, advanced tools, and shifting tactics hint at a much bigger, evolving operation.
 Using a VPN like NordVPN encrypts your internet connection, making it harder for hackers, data brokers, or nosy networks to see what you’re doing or steal your info.
The security world has been tracking Earth Lamia for a while, but this latest expansion paints a sharper picture.
Trend Micro researchers found that the group has been actively exploiting SQL injection vulnerabilities in web apps to break into organizations’ Microsoft SQL Servers.
Once inside, the attackers move laterally, using a whole toolbox of post-exploitation gear to map out networks, elevate privileges, and cover their tracks.
Targets include a broad swath of countries like Indonesia, Malaysia, the Philippines, Thailand, Vietnam, and beyond.
What makes this campaign more unsettling is its overlap with other China-nexus clusters identified by major security vendors.
Elastic Security Labs calls them REF0657, Sophos tracks them as STAC6451, and Palo Alto’s Unit 42 flags them as CL-STA-0048. It’s a complicated web, suggesting multiple teams or shared tools behind these attacks.
The attackers rely heavily on tried-and-true hacker staples like Cobalt Strike and Supershell to establish remote access, plus tunneling tools like Rakshasa and Stowaway to sneak data out.
For privilege escalation, they tap into exploits like GodPotato and JuicyPotato, and they wipe their tracks using wevtutil.exe to clear Windows event logs. These are not smash-and-grab attacks; they are patient, layered, and calculated.
Update all software and patch known vulnerabilities fast.
Lock down public-facing servers and restrict unnecessary access.
Use strong database credentials and limit SQL permissions.
Monitor for unusual network activity and proxy tunneling attempts.
Regularly back up data and test ransomware recovery plans.
Sophos reported that in many cases the ransomware didn’t execute properly, and attackers often deleted the binaries after failed deployments.
This suggests the ransomware may have been secondary to the main mission, which appears more focused on espionage and long-term access rather than quick ransom payments.
Earlier this month, EclecticIQ added another twist. They confirmed that CL-STA-0048 was one of several China-backed espionage groups exploiting CVE-2025-31324—a critical SAP NetWeaver vulnerability that allows attackers to upload files without authentication and establish a reverse shell.
That gives them a backdoor straight into victim infrastructure.
SAP NetWeaver sits at the core of many enterprise operations, running everything from supply chains to HR systems.
A vulnerability here offers attackers deep, valuable access—a goldmine for anyone running long-term espionage or intellectual property theft operations.
This campaign fits into a growing pattern of Chinese threat actors expanding their focus outside of traditional government and military targets.
Instead, they’re hitting a wide range of sectors in developing economies, potentially harvesting data for economic, political, or strategic advantages.
As cybersecurity researchers keep peeling back the layers, it’s becoming clear that Earth Lamia and its overlapping siblings are part of a far more coordinated, global effort than originally thought.
The combination of shared tools, adaptive tactics, and high-value targets signals an increasingly sophisticated approach that may keep unfolding for months—or years—to come.
|
