China-related threat actors behind recent wild exploitation in SAP NetWeaver have been attributed to a broader set of attacks targeting organizations in Brazil, India and Southeast Asia since 2023.
“Threat actors are primarily targeted at accessing the target organization’s SQL servers by targeting SQL injection vulnerabilities discovered in web applications,” said Joseph C Chen of Trend Micro Security Researcher in an analysis published this week. “The actors are also leveraging a variety of known vulnerabilities to leverage public servers.”
Other prominent targets of hostile groups include Indonesia, Malaysia, the Philippines, Thailand and Vietnam.
Cybersecurity companies track activities under Monica Earth LamiaActivities share some overlap with threat clusters documented by Elastic Security Lab as Ref0657, Stac6451, and the threat clusters documented by Palo Alto Networks Unit 42 as CL-STA-0048.
Each of these attacks targets organizations across multiple sectors in South Asia, often leveraging Microsoft SQL servers and other instances exposed to the internet to conduct reconnaissance, deploying post-extracted tools such as Cobalt Strike and Supershell, and using Laksasa and Stowway to establish proxy tunnels in the victim network.
Privileged escalation tools such as Godpotato and Juicypotato are also used. Network scanning utilities such as FSCAN and KSCAN. Legitimate programs like Wevtutil.exe clean Windows applications, systems, and security event logs.
The selected intrusion targeting Indian entities attempted to deploy Mimic Ransomware binaries to encrypt the victim files, but the efforts were largely unsuccessful.
“I saw actors stage the binaries of mimic ransomware in all observed cases, but ransomware often didn’t run properly, and in some instances the actors were trying to remove the binaries after deployment,” Sophos said in an analysis released in August 2024.
Then, earlier this month, EclecticiQ revealed that CL-STA-0048 is one of many Chinese and Nexus cyberspy groups that exploit CVE-2025-31324.
In addition to CVE-2025-31324, the hacking crew is said to have weaponized eight different vulnerabilities to violate public-facing servers –
Describing “very active,” Trend Micro noted that threat actors have shifted their focus from financial services to logistics and online retail and, more recently, to IT companies, universities and government organizations.
“We observed at the beginning and before 2024 that most of their goals were organizations within the financial industry, particularly related to securities and intermediaries,” the company said. “In late 2024, they shifted their goals to organizations primarily in the logistics and online retail industry. Recently, they noticed that Target has moved again to IT companies, universities and government organizations.”
A notable technique adopted by Earth Lamia is launching custom backdoors like PulsePack via DLL sideloads. This is a widely accepted approach among Chinese hacking groups. PulsePack, a modular .NET-based implant, communicates with remote servers to retrieve various plugins and perform functions.
Trend Micro said in March 2025 that it observed an updated version of the backdoor that changes command and control (C2) communication methods from TCP to WebSocket, indicating the aggressive ongoing development of malware.
“Earth Lamia is active in business in multiple countries and industries with a positive intention,” he concluded. “At the same time, threat actors will continuously improve their offensive tactics by developing custom hacking tools and new backdoors.”
