China-Linked Hackers Target SAP & SQL Servers: What Businesses Must Know in 2025
Earth Lamia Is Back — And Targeting Critical Business Software
Recent activities by China-linked hackers indicate that a China-affiliated cyber threat group known as Earth Lamia has ramped up attacks on organizations across Asia and Brazil by exploiting serious vulnerabilities in SAP NetWeaver and Microsoft SQL Server. If your business uses either system, now is the time to patch up your defenses.
The targets? Once focused on the financial sector, Earth Lamia has broadened its scope to include logistics, universities, government agencies, and even eCommerce platforms.
How They’re Getting In
The group’s primary method of entry is through SQL injection vulnerabilities in public-facing applications. Once inside, they move laterally within systems using known exploits, including:
- Apache Struts2 (CVE-2017-9805)
- GitLab (CVE-2021-22205)
- WordPress File Upload Plugin (CVE-2024-9047)
- TeamCity by JetBrains (CVE-2024-27198, CVE-2024-27199)
- CyberPanel (CVE-2024-51378, CVE-2024-51567)
- Craft CMS (CVE-2024-56145)
These vulnerabilities are well-documented and have public patches available — yet many businesses still haven’t applied them.
Related: Top Cybersecurity Tips for Small Businesses in 2025
What Is PULSEPACK?
Earth Lamia deploys a stealthy backdoor known as PULSEPACK, a modular implant built in .NET. It can load custom plugins and communicate with its command-and-control server — originally over TCP, and now via WebSocket, showing a high level of sophistication.
DLL side-loading, a signature tactic of Chinese APTs, is used to slip this malware into systems undetected.
How You Can Protect Your Organization
If your infrastructure relies on SAP or SQL Server, here’s how to stay ahead of these threats:
1. Patch Everything
Regularly apply security patches and updates. Subscribe to vendor alerts from Microsoft, SAP, and CMS platforms you use.
2. Perform a Security Audit
Conduct regular vulnerability scans and penetration testing. Use tools like Nessus or OpenVAS to uncover weaknesses.
3. Monitor for Anomalies
Use EDR (Endpoint Detection & Response) and network monitoring tools to detect unusual activity — especially DLL injections or outbound WebSocket traffic.
4. Zero Trust Strategy
Limit user access, enforce MFA, and isolate sensitive resources with Zero Trust principles.
Final Thoughts
Cyberattacks are evolving — fast. With threat groups like Earth Lamia targeting widely used platforms like SAP and SQL Server, businesses can’t afford to ignore security hygiene. Start patching, auditing, and monitoring now to avoid becoming the next headline.