A malicious campaign attributed to the APT group known as “Earth Lamia” has exploited weaknesses in web applications to gain access to organizations, using various techniques to steal information. The group has primarily targeted Brazil, India, and countries in Southeast Asia. Initially focused on financial services, Earth Lamia later shifted its attention to logistics and online retail, and more recently to IT companies, universities, and government organizations.

Based on a blog published by Trend Micro, security researchers recently discovered a previously unseen backdoor, namely PULSEPACK and  BypassBoss, a privilege escalation tool that is a modified version of Sharp4PrinterNotifyPotato.

_____________________________

A. Nature of Attack

The threat actor conducts active scanning to identify possible vulnerabilities to gain remote access in public facing systems. Based on Trend Micro telemetry, these are the common vulnerabilities being exploited by the actor.

  • CVE-2025-31324
  • CVE-2024-51378
  • CVE-2024-27199
  • CVE-2024-27198
  • CVE-2024-51567
  • CVE-2021-22205
  • CVE-2024-9047
  • CVE-2024-56145
  • CVE-2017-9805

After gaining access to the server, the threat actor was observed leveraging LOLBins (Living-off-the-Land Binaries) to download additional tools, delete event logs, collect domain controller information, and maintain its persistence. They also deployed a web shell on a web application, escalated privileges using tools like GodPotato and JuicyPotato, and scanned the internal network with Fscan and Kscan.

_____________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Regularly apply necessary updates and patch to mitigate future threats
  • Proactively monitor the logs and network traffic to the identified systems and devices for any suspicious/malicious activities
  • Install an anti-virus software and/or host-based detection tool running with the latest version to protect your data and devices.
  • Indicator of composed is available on the official report for threat hunting and blocking purposes
    • https://documents.trendmicro.com/assets/txt/earth_lamia_iocs_v2CeWlPie.txt
  • For additional information, kindly refer to the official report
    • https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html