Earth Lamia Develops Custom Arsenal to Target Multiple Industries

Attribution

In January 2024, an intrusion set identified as REF0657 targeted the financial services sector in South Asia. We believe these are also activities of Earth Lamia. Our telemetry data also shows Earth Lamia targeted Indian financial organizations during 2023 and early 2024. Many of the mentioned attack tactics and hacking tools in this report and those used by Earth Lamia are identical. In addition, we found a Cobalt Strike sample used by Earth Lamia connects to a C&C domain “chrome-online[.]site”. The domain certificate of “chrome-online[.]site” was found to be adopted on “149[.]104[.]23[.]176,” which has been reported as the IP address used by REF0657.

In August 2024, a report on a Mimic ransomware campaign tracked as STAC6451 was published. The report noted that some attack tactics are linked to REF0657. This report mentioned the following activities, which were likely from Earth Lamia:

• The username “helpdesk” and password “P@ssw0rd” pair created during the attack
• The use of the hacking tool “Sophosx64.exe,” which is the “GodPotato” tool. We also found the same tool with the same filename used in Earth Lamia’s attack.
• The Cobalt Strike loader “USERENV.dll” developed with the open-source project “MemoryEvasion”, which is the same as we mentioned above, is used by Earth Lamia.

Some of the attack tactics mentioned in the STAC6451 report are very different from those of Earth Lamia. We believe the report of STAC6451 may include the activities from two different intrusion sets. During our research, we didn’t see Earth Lamia use any ransomware. It could be that Earth Lamia collaborated with the Mimic ransomware campaign before, or they just happened to infect the same victims, as both targeted SQL servers in India.

In January 2025, a research team reported an espionage operation they tracked as CL-STA-0048. They found connections between this campaign, the Chinese threat actor “DragonRank”, and REF0657, which is Earth Lamia. We found the following activities mentioned in the report were likely from Earth Lamia:

• The behavior to download files from 206[.]237[.]0[.]49 which was used by Earth Lamia
• The use of the legitimate binary “AppLaunch.exe” to sideload Cobalt Strike and hacking tools

Our research currently tracks “DragonRank” and Earth Lamia as two different intrusion sets. We haven’t seen evidence that these two intrusion sets are linked or collaborated. However, we cannot rule out this possibility.

In May 2025, researchers shared their observations on multiple China-nexus APT campaigns targeting CVE-2025-31324. One of the mentioned campaigns used the IP address 43[.]247[.]135[.]53, which is associated with a Cobalt Strike C&C domain “sentinelones[.]com”. The C&C domain has been attributed to CL-STA-0048. We believe part of CL-STA-0048’s activities are from Earth Lamia’s operation. However, we have only a medium confidence to attribute the IP address 43[.]247[.]135[.]53 and the exploitation behavior to Earth Lamia as there’s already a time gap between the periods when the IP address was in use during 2024 and 2025.

The same report attributes another IP address 103[.]30[.]76[.]206 to an intrusion set UNC5174 as the VShell C&C server. Our research shows this IP address is currently used by Earth Lamia instead of UNC5174 with high confidence. We also found a VShell sample (SHA256: bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7), which communicates with this IP address. This sample is similar to the other samples used by Earth Lamia:

• First, the identified VShell sample is packaged as a DLL loader with the same packaging approach using VOIDMAW we mentioned
• Second, the identified VShell sample has a same PDB string “C:\Users\qweqw\Downloads\Voidmaw-master\Voidmaw-master\x64\Debug\Dll1.pdb” that we also found in the other samples used by Earth Lamia

The original attribution to UNC5174 is based on the fact that the attacks delivered a VShell stager called SNOWLIGHT. The stager has been reported to be used by UNC5174. However, this may not be reliable because SNOWLIGHT is also one of default stagers in the VShell framework. Anyone using the framework could generate the stager to load their VShell backdoor.

Read More HERE