2025-05-27 Custom Arsenal Developed to Target Multiple Industries

📃Title: Custom Arsenal Developed to Target Multiple Industries
📅Date: 2025-05-27
🔗References:

• https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
• https://x.com/_rectifyq/status/1927511371467399505

Description

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and BypassBoss for privilege escalation. Earth Lamia’s targets have shifted over time, initially focusing on financial services, then logistics and online retail, and recently IT companies, universities, and government organizations. The group employs various techniques including DLL sideloading, use of legitimate binaries, and development of modular backdoors. Earth Lamia’s activities have been linked to other reported campaigns, suggesting a complex and evolving threat landscape.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Trend-Micro
• target-information=“Brazil”
• target-information=“India”
• target-information=“Indonesia”
• target-information=“Malaysia”
• target-information=“Philippines”
• target-information=“Thailand”
• target-information=“Vietnam”
• sector=“Finance”
• sector=“Academia - University”
• sector=“Government, Administration”
• sector=“IT”
• mitre-tool=“sqlmap - S0225”
• malpedia=“JuicyPotato”
• malpedia=“STOWAWAY”
• malpedia=“Brute Ratel C4”
• malpedia=“Cobalt Strike”
• malpedia=“Vshell”
• sigma-rules=“Antivirus Web Shell Detection”
• sigma-rules=“SQL Injection Strings In URI”
• sigma-rules=“Potential Recon Activity Via Nltest.EXE”
• sigma-rules=“Suspicious Download Via Certutil.EXE”
• sigma-rules=“Suspicious Group And Account Reconnaissance Activity Using Net.EXE”
• mitre-attack-pattern=[‘T1098.007’, ‘T1070.001’, ‘T1574.001’, ‘T1005’, ‘T1140’, ‘T1562.001’, ‘T1087.002’, ‘T1482’, ‘T1583.001’, ‘T1041’, ‘T1190’, ‘T1068’, ‘T1008’, ‘T1592’, ‘T1590’, ‘T1105’, ‘T1003.001’, ‘T1570’, ‘T1087.001’, ‘T1136.001’, ‘T1078.003’, ‘T1587.001’, ‘T1036.005’, ‘T1104’, ‘T1095’, ‘T1571’, ‘T1059.001’, ‘T1620’, ‘T1595.001’, ‘T1053.005’, ‘T1003.002’, ‘T1132.001’, ‘T1573.001’, ‘T1608.001’, ‘T1608.002’, ‘T1078’, ‘T1583.003’, ‘T1595.002’, ‘T1505.003’, ‘T1059.003’]

MISP event uuid: 643a2194-c8b1-4f18-98ef-f9767b429683

Indicator of Compromise (IoCs)

type,value,comment
sha256, 4598d35d789db350008c2307febe18859221923fe9f1fd2fa61bccc8eca8828e, 'Hacktool Rakshasa No sample in VT\r\nLast check:28/05/2025'
sha256, d04904e32b5cb0f9b559855fac81d62c6ad0472dc443be02f08b6fe4a7d56f71, 'Hacktool GodPotato No sample in VT\r\nLast check:28/05/2025'
sha256, 5060bcd360683d43dcde43676d908d5d10b5310e71f16c42529b103b91818d57, 'Hacktool JuicyPotato No sample in VT\r\nLast check:28/05/2025'
sha256, 95fb0944a2348f1e326b4ce65b04a5b62e1587d90c40d3bb505dc93f5f61295a, 'Hacktool JuicyPotato No sample in VT\r\nLast check:28/05/2025'
sha256, b8c0d54f40d0c9deafa44860799a54a09c32cc795498bf0e9f2bef49fa056288, 'Hacktool JuicyPotato No sample in VT\r\nLast check:28/05/2025'
sha256, d8e272f50e1d699870a74f8cbed06a9371212c208bcfa8b3c992a4744e84ed87, 'Hacktool Stowaway No sample in VT\r\nLast check:28/05/2025'
sha256, 0916166f5cf72e5869aeb75331a46f9bf978fa328b08e13ee356dd7b0b13afba, 'DLL sideloading loader No sample in VT\r\nLast check:28/05/2025'
sha256, 15a61d74ba86155e9d4636b9f081452a530b6766cc59e950d557a21eab96d60a, 'DLL sideloading loader No sample in VT\r\nLast check:28/05/2025'
sha256, 3c50d4953e0f695d8e2849546dd0a4a9b8d06b3ab3d70d32e4181ca7f8c58b1e, 'DLL sideloading loader No sample in VT\r\nLast check:28/05/2025'
sha256, d8364dc34ccece608beea861067fa31cae3f4ef0c3fcdf1804cc88d162c0ff15, 'DLL sideloading loader No sample in VT\r\nLast check:28/05/2025'
sha256, edc9222aece9098ad636af351dd896ffee3360e487fda658062a9722edf02185, 'DLL sideloading loader No sample in VT\r\nLast check:28/05/2025'
sha256, ffdb183742a3404c3756ba654ea8eb7983650cbf8fdc4e8a6514870e251f2915, 'DLL sideloading loader No sample in VT\r\nLast check:28/05/2025'
sha256, 03bc25ae7222a8142e06629d22c62900e9cd2554ff7d2b9d8836125c6c4fea8c, 'Vshell stager No sample in VT\r\nLast check:28/05/2025'
sha256, a4f8ffff81c13d2bc6ba5f0ded5ea31b73450ad1a0f42c592f1040d46263846a, 'Vshell stager No sample in VT\r\nLast check:28/05/2025'
sha256, 037bda8a7e324e378720ff143ca1810b95c78e74062913e9bc588aac9aa55483, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 038712505c782f6de7fd435805db35cd806da5132bd7b2f2b16b0c430b800f65, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 1572c35417c425433d03477d8e02784739337db9c26df25c0e6b2aa0444c0668, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 2629de99f35a283ad44e8fea20a3b536187c8babb24f18763429390f77144128, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 2a5e8e3d02de6f13195ac962862e37918fa7ab9aa14d8fbe3eb9f2fb217b9517, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 2a62393c3b2e97cdbd03181d4e4cf699d4511c56a1c9c4ed8ff122f05eb919cc, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 2ea8980002af5ace6c34408626ac56b424ea0a2504ccd0281e09d560e8e05276, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 367aa34601606f4f09a496dfeed1d301b8b76643f976ed02960d9e85cce38595, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 3e2f9c3b76c3b4d932783faeb7ab25cfed3edd939f58659e0aa92fd46a6b1111, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 54b0949e3771e1b1dd7eabdbaf2acffe5e527edafc4a5ffa6aaeb0a6047479f1, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 56a00f3f589909783b72ca6fe40d898f45d9787e94f4291a008259ff0a18b12c, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 613985e6cb0783fa378100d464065c0cfab636230ed76994d9daed6b19af3be1, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 6d9b34bec276a1351ef46e63829237c7352a2e64118fe072a650979557b421b9, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 8550677e8ca53235c5eda21401e75ab495e418877e71149d1ae0c3ce247c3124, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 92e82fe79025aa9e68cae7b734de8c840ec7c6dd439f17abefe69354d4a8bd6e, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, b24316e81b6ebf954fab7a87a211554cde6986b239792610f8d234d05d2a2a1f, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, dc27e0fabdbad970519d354a83f8c4791d2311dedb9e7ed3cee2d0f52078f000, 'Vshell No sample in VT\r\nLast check:28/05/2025'
sha256, 18cb28c5c7beae394111cf867b4e3cd8e154ab7c7f3d91016e0ead5d90009ee3, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
sha256, 3be0b7d41d9fedfcbf5dd8147640f1d12c5693936910fcc76d7af99243056b94, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
sha256, 608a5144ae8ddec032854092da555eb9e29626465657c1c5cc3de0ada0bfea7e, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
sha256, 7c56b87fbc92c9ff8bbd0f0979acb839eea8695c1fd18b731fdb0feca077fd4f, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
sha256, 853e735b64cac5c64d18b78b35dc4129551909b8ee3bdb1ad2b6ef75349f0108, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
sha256, a7a7004ed404980e56f3e9dd4b349a42b39d08b310d32c8ec7db8d55ee693a93, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
sha256, c8f855c7b1456739d1c03c4225093475baba75cb49d3f1051ba4e40831e5ce84, 'PULSEPACK WebSocket No sample in VT\r\nLast check:28/05/2025'
ip-dst, 185.238.251.244, 'Earth Lamia hosting servers'
ip-dst, 206.237.1.201, 'Earth Lamia hosting servers'
ip-dst, 206.238.179.242, 'Earth Lamia hosting servers'
domain, chrome-online.site, 'Cobalt Strike C&C Domain'
hostname, times.windowstimes.online, 'Cobalt Strike C&C Domain'
hostname, dxzdq7un7c7hs.cloudfront.net, 'Brute Ratel C&C Domain'
hostname, d3hg0xriyu9bjh.cloudfront.net, 'Brute Ratel C&C Domain'
ip-dst, 103.30.76.206, 'Vshell C&C Server'
ip-dst, 149.104.23.171, 'Vshell C&C Server'
ip-dst, 154.211.89.5, 'Vshell C&C Server'
ip-dst, 164.155.231.64, 'Vshell C&C Server'
ip-dst, 185.238.251.38, 'Vshell C&C Server'
ip-dst, 185.238.251.46, 'Vshell C&C Server'
ip-dst, 206.237.0.251, 'Vshell C&C Server'
ip-dst, 206.238.179.172, 'Vshell C&C Server'
ip-dst, 206.238.76.121, 'Vshell C&C Server'
ip-dst, 206.238.196.155, 'Vshell C&C Server'
ip-dst, 206.238.199.21, 'Vshell C&C Server'
hostname, api.xwphd.com, 'Vshell C&C Server'
hostname, bkp.windowstimes.me, 'Vshell C&C Server'
hostname, times.windowstimes.me, 'Vshell C&C Server'
hostname, image.windowstimes.online, 'Vshell C&C Server'
hostname, images.windowstimes.online, 'Vshell C&C Server'
ip-dst, 104.233.140.135, 'PULSEPACK C&C Server'
ip-dst, 134.122.176.156, 'PULSEPACK C&C Server'
ip-dst, 141.11.149.124, 'PULSEPACK C&C Server'
hostname, 0ac0568239f8978.ccega6r0yph8.com, 'PULSEPACK C&C Server'
hostname, 784564141.ccega6r0yph8.com, 'PULSEPACK C&C Server'
hostname, c43f5d6e73a7eb.ccega6r0yph8.com, 'PULSEPACK C&C Server'
hostname, admin.668608.xyz, 'PULSEPACK C&C Server'

Full IOCs available in Rectifyq's MISP```