China-Linked Cyber Actors Target SAP and SQL Server Vulnerabilities in Widespread Attacks Across Asia and Brazil

30.05.2025

A threat actor tied to China, tracked as Earth Lamia, has been linked to a wave of cyberattacks since 2023, exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to breach organizations in Brazil, India, and across Southeast Asia. Trend Micro reports that the attackers primarily leverage SQL injection flaws in web applications to gain access to SQL servers and exploit multiple known vulnerabilities in public-facing systems.

Among the affected countries are Indonesia, Malaysia, the Philippines, Thailand, and Vietnam, with victims spanning sectors such as logistics, online retail, government, academia, and IT. The group has transitioned over time from targeting financial institutions to broader industries, showcasing a dynamic targeting strategy.

The attackers utilize a range of post-exploitation tools and techniques, including Cobalt Strike, Supershell, and proxy tunneling via Rakshasa and Stowaway. Tools for privilege escalation such as GodPotato and JuicyPotato, and scanners like Fscan and Kscan, are also deployed. Legitimate utilities like wevtutil.exe are abused to erase forensic traces from event logs.

Earth Lamia has also staged but largely failed to execute Mimic ransomware in several incidents. In many cases, the binaries were deleted after deployment, possibly indicating operational testing or detection avoidance tactics.

The group is known for its custom backdoor PULSEPACK, delivered via DLL side-loading—an approach commonly seen in Chinese APT operations. Trend Micro observed an updated version in March 2025 that transitioned its communication from TCP to WebSocket, reflecting ongoing development. The campaign reflects Earth Lamia’s sustained and evolving focus on cyber espionage across diverse industries and geographies.