{ "id": "e2cd09ee-03e5-4668-80f8-9868c7090a18", "created_at": "2026-04-06T00:06:51.723305Z", "updated_at": "2026-04-10T03:36:01.241499Z", "deleted_at": null, "sha1_hash": "12fe258da7a8b598d541704aa8b897f38675c4e4", "title": "Earth Lamia Develops Custom Arsenal to Target Multiple Industries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 608467, "plain_text": "Earth Lamia Develops Custom Arsenal to Target Multiple\r\nIndustries\r\nBy By: Joseph C Chen May 27, 2025 Read time: 12 min (3204 words)\r\nPublished: 2025-05-27 · Archived: 2026-04-02 10:46:07 UTC\r\nSummary\r\nTrend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web\r\napplications to gain access to organizations, using various techniques for data exfiltration.\r\nEarth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and\r\nBypassBoss.\r\nEarth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially\r\nfocused on financial services, the group shifted to logistics and online retail, most recently focusing on IT\r\ncompanies, universities, and government organizations.\r\nTrend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One also provides\r\nhunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on\r\nEarth Lamia.\r\nIntroduction\r\nWe have been tracking an active intrusion set that primarily targets organizations located in countries including\r\nBrazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities\r\ndiscovered on web applications to access the SQL servers of targeted organizations. The actor also takes\r\nadvantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned\r\ntheir aggressive operations, including REF0657open on a new tab, STAC6451open on a new tab, and CL-STA-0048open on a new tab. Evidence we collected during our research indicates this group is a China-nexus intrusion\r\nset, which we now track as Earth Lamia.\r\nEarth Lamia is highly active, but our observation found that its targets have shifted over different time periods.\r\nThey targeted many organizations but focused only on a few specific industries during each time period. In early\r\n2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically\r\nrelated to securities and brokerage. In the second half of 2024, they shifted their targets to organizations mainly in\r\nthe logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies,\r\nuniversities, and government organizations.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 1 of 13\n\nFigure 1. Map of targeted countries\r\nEarth Lamia continuously develops customized hacking tools and backdoors to improve their operations. While\r\nthe actor highly leverages open-source hacking tools to conduct their attacks, they also customized these hacking\r\ntools to reduce the risk of being detected by security software. We also discovered they have developed a\r\npreviously unseen backdoor, which we named PULSEPACK. The first version of PULSEPACK was identified in\r\nEarth Lamia's attacks during August 2024. In 2025, we found an upgraded version of PULSEPACK, which uses a\r\ndifferent protocol for C\u0026C communication, showing they are actively developing this backdoor. In this report, we\r\nwill reveal the details of Earth Lamia’s operations and share the analysis of their customized hacking tools and\r\nbackdoors.\r\nInitial access and post-exploitation TTPs\r\nWe found that Earth Lamia frequently conducted vulnerability scans to identify possible SQL injection\r\nvulnerabilities on the targets' websites. With an identified vulnerability, the actor tried to open a system shell\r\nthrough it to gain remote access to the victims' SQL servers. We suspect they are likely using tools like \"sqlmap\"\r\nto carry out these attacks against their targets. Besides the SQL injection attempts, our telemetry shows the actor\r\nalso exploited the following vulnerabilities on different public-facing servers:\r\nCVE-2017-9805open on a new tab: Apache Struts2 remote code execution vulnerability\r\nCVE-2021-22205open on a new tab: GitLab remote code execution vulnerability\r\nCVE-2024-9047open on a new tab: WordPress File Upload plugin arbitrary file access vulnerability\r\nCVE-2024-27198open on a new tab: JetBrains TeamCity authentication bypass vulnerability\r\nCVE-2024-51378open on a new tab: CyberPanel remote code execution vulnerability\r\nCVE-2024-51567open on a new tab: CyberPanel remote code execution vulnerability\r\nCVE-2024-56145open on a new tab: Craft CMS remote code execution vulnerability\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 2 of 13\n\nMore recently, Earth Lamia also exploited CVE-2025-31324open on a new tab (SAP NetWeaver Visual Composer\r\nunauthenticated file upload vulnerability). The reportopen on a new tab mentioned two of attackers’ IP addresses,\r\n43[.]247[.]135[.]53 and 103[.]30[.]76[.]206, which we clustered as Earth Lamia’s infrastructure. (We discuss these\r\ndetails in the Attribution section.)\r\nAfter a successful exploitation of vulnerabilities to gain access to a server, we observed the following general\r\nlateral movement activities within the victims' network:\r\nUsing \"certutil.exe\" or “powershell.exe” to download additional tools from the attacker’s machine\r\nDeploying webshells to website applications\r\nPerforming privilege escalation using tools such as \"GodPotato\" and \"JuicyPotato\"\r\nScanning the network using tools like \"Fscan\" and \"Kscan\"\r\nCreating a user account named \"helpdesk\" and adding it to the administrators' local group\r\nObtaining credentials by dumping the LSASS memory or extracting the SAM hive and the SYSTEM hive\r\nfrom the Windows Registry\r\nCleaning Windows Application, System and Security event logs with “wevtutil.exe”\r\nCollecting domain controller information with “nltest.exe” and “net.exe”\r\nEstablishing proxy tunnels to the Victims' network with tools such as \"rakshasa\" and \"Stowaway\"\r\nExecuting backdoors generated from the command-and-control frameworks, including \"Vshell\", \"Cobalt\r\nStrike\", and \"Brute Ratel\"\r\nUsing “schtasks.exe” to persist the backdoor execution\r\nWe also noticed the threat actor used SQL injection vulnerabilities to execute the following commands. The\r\ncommands create a new account \"sysadmin123\" with administrator permissions on the targeted SQL servers. It\r\nallows the actor to directly access and exfiltrate victim databases.\r\nCREATE LOGIN sysadmin123 WITH PASSWORD = 'qwe123QWE';\r\nALTER SERVER ROLE sysadmin ADD MEMBER sysadmin123;\r\nCustomized hacking tools\r\nEarth Lamia often modifies open-source hacking tools for its own use. They remove unnecessary static strings\r\nfrom the hacking tools, such as help or debug messages. Some essential static strings are also obfuscated. These\r\ncustomizations are aimed at reducing the chances of detection by security software. For example, we identified a\r\nprivilege escalation tool that was named \"BypassBoss\" in the PDB string. This tool was used multiple times in\r\ndifferent incidents by Earth Lamia. After our analysis, we found that this tool is a modified version of\r\n\"Sharp4PrinterNotifyPotato\", whose original source code was sharedopen on a new tab on a Chinese forum.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 3 of 13\n\nFigure 2. Code comparison between “BypassBoss” (left) and \"Sharp4PrinterNotifyPotato\" (right)\r\nIn addition, we found that Earth Lamia packages its hacking tools into DLL files to launch them via DLL\r\nsideloadingopen on a new tab. Our telemetry data showed multiple times that the actor executed a legitimate\r\nexecutable “AppLaunch.exe” (Microsoft .NET ClickOnce Launch Utility) with suspicious arguments. In one case,\r\nwe observed that the arguments are similar to those used by “Mimikatz”.\r\nC:\\Users\\Public\\Downloads\\AppLaunch.exe \"log C:\\Users\\Public\\Downloads\\res.txt\"\r\n\"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\"\r\nLater, we were able to collect one of their DLL samples. The DLL file (SHA256:\r\n1d0b246f8d43442ea0eaecde5cfa7fcd8139a9ba93496cd82a8ac056f7393bcf) was named \"mscoree.dll,\" which is\r\none of the libraries loaded by \"AppLaunch.exe\". We found the actor packaged an entire binary of \"JuicyPotato\"\r\ninto the DLL file with \"VOIDMAWopen on a new tab”, an open-source tool to package malicious code to bypass\r\nmemory scanners. This allows the actor to execute their hacking tools in memory inside the process of a legitimate\r\nexecutable. We believe the actor employs these or similar approaches to launch their hacking tools with DLL\r\nsideloading.\r\nBesides that, Earth Lamia also created their backdoor loaders by adopting DLL sideloading. Interestingly, the\r\nactor prefers to use the legitimate binaries provided by security vendors to sideload their malicious DLL files.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 4 of 13\n\nFigure 3. DLL sideloading flows to launch backdoors\r\nOther researchersopen on a new tab had found that one of the earlier versions of their loaders was a modification\r\nof the open-source project “MemoryEvasionopen on a new tab” to load malicious Base64-encoded shellcode. We\r\ndiscovered an extended version of their Cobalt Strike loaders, which use the RC4 encryption to protect the\r\nmalicious shellcode.\r\nFrom an example we found in their sideloading samples, the payload file “readme.txt” has the first 128 bytes used\r\nto produce the RC4 key, and the rest of the data is the RC4-encrypted shellcode. After launching with a legitimate\r\nbinary, the DLL sideloading loader reads data from the payload file. It duplicates the 128-byte key twice to restore\r\nthe 256-byte RC4 key. It then uses the restored key to decrypt the rest of the data and has the original Cobalt\r\nStrike shellcode  execute in memory.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 5 of 13\n\nFigure 4. The encrypted payload file to encapsulate the shellcode\r\nWe also found another DLL sideloading loader used by Earth Lamia to execute Brute Ratel shellcode. This loader\r\nuses AES instead. The loader has the pre-configured AES 256-byte key and initial vectors embedded in the binary.\r\nAlthough the loader does not directly use the embedded key for decryption, it computes the hash of the 256-byte\r\nkey using SHA256, resulting in a hash that is also 256 bytes in size. The hash value is the key to decrypt the\r\nencrypted shellcode stored in the payload file “VCRUNTIME140C.dll”.\r\nFigure 5. The decryption routine to restore shellcode from an AES-encrypted file\r\nAnalysis of the PULSEPACK backdoor\r\nIn August 2024, we noticed Earth Lamia started using a previously unseen backdoor, which we named\r\nPULSEPACK. PULSEPACK is a modular .NET backdoor designed with a simple primary executable that only\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 6 of 13\n\nincludes necessary capabilities for command-and-control (C\u0026C) communication. Each malicious function is\r\ndeveloped as a separate plugin. The plugins will only be loaded from the C\u0026C server when needed. In the first\r\nversion of PULSEPACK that we discovered, it contained the following configuration information embedded\r\nwithin the executable:\r\nThe IP address and the port number of the default C\u0026C server\r\nThe URL to get an updated C\u0026C IP address and port number pair\r\nThe AES key and the AES IV value to encrypt the communication\r\nAt the beginning, PULSEPACK checks the configured URL to get the address of the C\u0026C server. If the value of\r\nthe URL is empty or it fails to retrieve the C\u0026C address from the URL, the backdoor will connect to the default\r\nC\u0026C server with a TCP socket. Once the TCP socket is connected, the backdoor decodes an embedded data to\r\nrestore a core DLL file and execute it in memory with the “Assembly.Loadopen on a new tab” approach. The core\r\nDLL handles the C\u0026C commands and launches plugins delivered from the C\u0026C server. Initially, it sends the\r\nvictim’s information to the C\u0026C server, including:\r\nSystem version and username\r\nThe backdoor process name and process privilege\r\nInstalled antivirus software\r\nA hash value calculated with the system and the hardware information\r\nFigure 6. The function to collect the information of the infected machine\r\nIt then waits for the C\u0026C server to deliver the plugins, which are then executed. The delivered plugins are\r\n Base64-encoded and compressed into the ZIP format. The core DLL restores the plugins from the delivered data\r\nand launches them with the “Assembly.Loadopen on a new tab” approach. The core DLL launches the plugins\r\nfrom a function named \"Run\" as the entry point. PULSEPACK encrypts the execution result with the AES\r\nalgorithm before sending it to the C\u0026C server.\r\nSince March 2025, we found Earth Lamia deployed a new version of PULSEPACK. It changes the protocol of\r\nC\u0026C communication from a TCP socket to a WebSocket. In addition, the new PULSEPACK also becomes\r\nsmaller as they separated the core DLL from the backdoor and made it a plugin that will be loaded from the C\u0026C\r\nserver. Once the backdoor connects to the C\u0026C server, the server sends a message appended with a random UUID\r\nas the victim ID. The values are concatenated with a number sign “#”.\r\nIsWindows#{UUID}\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 7 of 13\n\nThe backdoor responds with a message composed of the given UUID and a tag string embedded in the backdoor.\r\nIsWindowsReturnMessageParam#{UUID}#{Tag}\r\nThen, it delivers the first plugin called \"InitStart.dll,\" which collects the same information about the infected\r\nmachine as the original core DLL. After these initialization steps, the backdoor waits for the plugins issued from\r\nthe C\u0026C server to execute.\r\nGetWinDowsMessage#{UUID}#{C\u0026C URL}#{Plugin (Base64 encoded)}#{Function name}\r\nFigure 7. PULSEPACK C\u0026C traffic communicating on WebSocket\r\nWe also noticed a PULSEPACK sample which loaded a plugin DLL called \"TKRun.dll”, which is used for\r\npersisting the execution of the backdoor by creating a scheduled task to launch the executable after a system\r\nreboot. Unfortunately, we couldn’t discover additional plugins used by PULSEPACK. Our telemetry data shows\r\nthat the backdoor process can drop files and create a subprocess called \"cmd.exe\" to execute commands on the\r\nvictims' machines. This suggests that more plugins could exist for the file drop or remote shell access purposes.\r\nFigure 8. The \"TKRun\" plugin creates a new task to launch the backdoor process\r\nAttribution\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 8 of 13\n\nIn January 2024, an intrusion set identified as REF0657open on a new tab targeted the financial services sector in\r\nSouth Asia. We believe these are also activities of Earth Lamia. Our telemetry data also shows Earth Lamia\r\ntargeted Indian financial organizations during 2023 and early 2024. Many of the mentioned attack tactics and\r\nhacking tools in this report and those used by Earth Lamia are identical. In addition, we found a Cobalt Strike\r\nsample used by Earth Lamia connects to a C\u0026C domain \"chrome-online[.]site\". The domain certificate of\r\n\"chrome-online[.]site\" was found to be adopted on \"149[.]104[.]23[.]176,\" which has been reported as the IP\r\naddress used by REF0657.\r\nIn August 2024, a report on a Mimic ransomware campaign tracked as STAC6451open on a new tab was\r\npublished. The report noted that some attack tactics are linked to REF0657. This report mentioned the following\r\nactivities, which were likely from Earth Lamia:\r\nThe username “helpdesk” and password “P@ssw0rd” pair created during the attack\r\nThe use of the hacking tool \"Sophosx64.exe,\" which is the \"GodPotato\" tool. We also found the same tool\r\nwith the same filename used in Earth Lamia's attack.\r\nThe Cobalt Strike loader \"USERENV.dll\" developed with the open-source project \"MemoryEvasion\",\r\nwhich is the same as we mentioned above, is used by Earth Lamia.\r\nSome of the attack tactics mentioned in the STAC6451 report are very different from those of Earth Lamia. We\r\nbelieve the report of STAC6451 may include the activities from two different intrusion sets. During our research,\r\nwe didn't see Earth Lamia use any ransomware. It could be that Earth Lamia collaborated with the Mimic\r\nransomware campaign before, or they just happened to infect the same victims, as both targeted SQL servers in\r\nIndia.\r\nIn January 2025, a research team reported an espionage operation they tracked as CL-STA-0048open on a new\r\ntab. They found connections between this campaign, the Chinese threat actor “DragonRankopen on a new tab”,\r\nand REF0657, which is Earth Lamia. We found the following activities mentioned in the report were likely from\r\nEarth Lamia:\r\nThe behavior to download files from 206[.]237[.]0[.]49 which was used by Earth Lamia\r\nThe use of the legitimate binary “AppLaunch.exe” to sideload Cobalt Strike and hacking tools\r\nOur research currently tracks \"DragonRank\" and Earth Lamia as two different intrusion sets. We haven't seen\r\nevidence that these two intrusion sets are linked or collaborated. However, we cannot rule out this possibility.\r\nIn May 2025, researchers shared their observationsopen on a new tab on multiple China-nexus APT campaigns\r\ntargeting CVE-2025-31324. One of the mentioned campaigns used the IP address 43[.]247[.]135[.]53, which is\r\nassociated with a Cobalt Strike C\u0026C domain “sentinelones[.]com”. The C\u0026C domain has been attributed to CL-STA-0048. We believe part of CL-STA-0048’s activities are from Earth Lamia’s operation. However, we have\r\nonly a medium confidence to attribute the IP address 43[.]247[.]135[.]53 and the exploitation behavior to Earth\r\nLamia as there’s already a time gap between the periods when the IP address was in use during 2024 and 2025.\r\nThe same report attributes another IP address 103[.]30[.]76[.]206 to an intrusion set UNC5174open on a new tab\r\nas the VShell C\u0026C server. Our research shows this IP address is currently used by Earth Lamia instead of\r\nUNC5174 with high confidence. We also found a VShell sample (SHA256:\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 9 of 13\n\nbb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7), which communicates with this IP\r\naddress. This sample is similar to the other samples used by Earth Lamia:\r\nFirst, the identified VShell sample is packaged as a DLL loader with the same packaging approach using\r\nVOIDMAW we mentioned\r\nSecond, the identified VShell sample has a same PDB string “C:\\Users\\qweqw\\Downloads\\Voidmaw-master\\Voidmaw-master\\x64\\Debug\\Dll1.pdb” that we also found in the other samples used by Earth\r\nLamia\r\nThe original attribution to UNC5174 is based on the fact that the attacks delivered a VShell stager called\r\nSNOWLIGHT. The stager has been reported to be used by UNC5174. However, this may not be reliable because\r\nSNOWLIGHT is also one of default stagers in the VShell framework. Anyone using the framework could generate\r\nthe stager to load their VShell backdoor.\r\nFigure 9. Screenshot of the VShell management panel to generate the SNOWLIGHT stager\r\nConclusion\r\nEarth Lamia is conducting its operations across multiple countries and industries with aggressive intentions. At the\r\nsame time, the threat actor continuously refines their attack tactics by developing custom hacking tools and new\r\nbackdoors. They primarily target their victims via vulnerable websites, SQL servers, and systems publicly facing\r\nthe Internet. To go against these threats, organizations must regularly update and patch their systems to prevent\r\nattackers from gaining initial access. Monitoring is essential to detect unusual activities. Adopting proactive\r\nsecurity solutions that integrate robust prevention, detection, and response capabilities will help organizations\r\nsignificantly strengthen their defenses.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 10 of 13\n\nby decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it\r\ndelivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security\r\nleaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision\r\nOne, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a\r\nstrategic partner for innovation.\r\nTrend Micro™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which\r\nprovides the latest insights from Trend Research on emerging threats and threat actors. \r\nThreat Insights\r\nEmerging Threats: Earth Lamia Develops Custom Arsenal to Target Multiple Industries\r\nThreat Actor: Earth Lamia\r\nTrend Vision One Intelligence Reports (IOC Sweeping) \r\nEarth Lamia Develops Custom Arsenal to Target Multiple Industries\r\n \r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nBackdoor C\u0026C servers of Earth Lamia\r\neventSubId: 204 AND (dst: 154.211.89.5 OR dst: 185.238.251.38 OR dst: 206.237.2.40 OR dst: 206.237.5.19 OR\r\ndst: 206.238.179.172 OR dst: 206.238.199.21)\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement\r\nenabledproducts.\r\nMITRE ATT\u0026CK techniques\r\nTactic Technique ID\r\nReconnaissance\r\nActive Scanning: Scanning IP Blocks T1595.001\r\nActive Scanning: Vulnerability Scanning T1595.002\r\nGather Victim Host Information T1592\r\nGather Victim Network Information T1590\r\nResource Development Acquire Infrastructure: Domains T1583.001\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 11 of 13\n\nAcquire Infrastructure: Virtual Private Server T1583.003\r\nDevelop Capabilities: Malware T1587.001\r\nStage Capabilities: Upload Malware T1608.001\r\nStage Capabilities: Upload Tool T1608.002\r\nInitial Access\r\nExploit Public-Facing Application T1190\r\nValid Accounts T1078\r\nExecution\r\nCommand and Scripting Interpreter: PowerShell T1059.001\r\nCommand and Scripting Interpreter: Windows Command Shell T1059.003\r\nPersistence\r\nAccount Manipulation: Additional Local or Domain Groups T1098.007\r\nCreate Account: Local Account T1136.001\r\nScheduled Task/Job: Scheduled Task T1053.005\r\nServer Software Component: Web Shell T1505.003\r\nDefense Evasion\r\nExploitation for Privilege Escalation T1068\r\nValid Accounts: Local Accounts T1078.003\r\nDeobfuscate/Decode Files or Information T1140\r\nHijack Execution Flow: DLL T1574.001\r\nImpair Defenses: Disable or Modify Tools T1562.001\r\nIndicator Removal: Clear Windows Event Logs T1070.001\r\nMasquerading: Match Legitimate Resource Name or Location T1036.005\r\nReflective Code Loading T1620\r\nCredential Access\r\nOS Credential Dumping: LSASS Memory  T1003.001\r\nOS Credential Dumping: Security Account Manager T1003.002\r\nDiscovery\r\nAccount Discovery: Local Account T1087.001\r\nAccount Discovery: Domain Account  T1087.002\r\nDomain Trust Discovery T1482\r\nLateral Movement Lateral Tool Transfer T1570\r\nCollection Data from Local System T1005\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 12 of 13\n\nCommand and Control\r\nData Encoding: Standard Encoding T1132.001\r\nEncrypted Channel: Symmetric Cryptography T1573.001\r\nFallback Channels T1008\r\nIngress Tool Transfer T1105\r\nMulti-Stage Channels T1104\r\nNon-Application Layer Protocol T1095\r\nNon-Standard Port T1571\r\nExfiltration Exfiltration Over C2 Channel T1041\r\nIndicators of Compromise (IOCs)\r\nIndicators of compromise related to this campaign may be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-lamia.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html" ], "report_names": [ "earth-lamia.html" ], "threat_actors": [ { "id": "2137e858-a11d-4b75-ae54-3267b096a4fc", "created_at": "2025-06-29T02:01:56.98797Z", "updated_at": "2026-04-10T02:00:04.667535Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [], "source_name": "ETDA:Earth Lamia", "tools": [ "BypassBoss", "PULSEPACK" ], "source_id": "ETDA", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3", "created_at": "2024-10-04T02:00:04.754794Z", "updated_at": "2026-04-10T02:00:03.712878Z", "deleted_at": null, "main_name": "DragonRank", "aliases": [], "source_name": "MISPGALAXY:DragonRank", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "650a9c54-160c-4a25-8e96-e845f2dd6f82", "created_at": "2026-01-18T02:00:03.063535Z", "updated_at": "2026-04-10T02:00:03.901997Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [ "UNC5454" ], "source_name": "MISPGALAXY:Earth Lamia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf", "created_at": "2026-01-17T02:00:03.195495Z", "updated_at": "2026-04-10T02:00:03.89438Z", "deleted_at": null, "main_name": "CL-STA-0048", "aliases": [ "CL STA 0048" ], "source_name": "MISPGALAXY:CL-STA-0048", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12fe258da7a8b598d541704aa8b897f38675c4e4.pdf", "text": "https://archive.orkl.eu/12fe258da7a8b598d541704aa8b897f38675c4e4.txt", "img": "https://archive.orkl.eu/12fe258da7a8b598d541704aa8b897f38675c4e4.jpg" } }