• Home
  • Cyber Security
  • China-Linked Hackers Target SAP & SQL Servers: What Businesses Must Know in 2025
China hacker

China-Linked Hackers Target SAP & SQL Servers: What Businesses Must Know in 2025

16 Views

Earth Lamia Is Back — And Targeting Critical Business Software

Recent activities by China-linked hackers indicate that a China-affiliated cyber threat group known as Earth Lamia has ramped up attacks on organizations across Asia and Brazil by exploiting serious vulnerabilities in SAP NetWeaver and Microsoft SQL Server. If your business uses either system, now is the time to patch up your defenses.

The targets? Once focused on the financial sector, Earth Lamia has broadened its scope to include logistics, universities, government agencies, and even eCommerce platforms.


How They’re Getting In

The group’s primary method of entry is through SQL injection vulnerabilities in public-facing applications. Once inside, they move laterally within systems using known exploits, including:

  • Apache Struts2 (CVE-2017-9805)
  • GitLab (CVE-2021-22205)
  • WordPress File Upload Plugin (CVE-2024-9047)
  • TeamCity by JetBrains (CVE-2024-27198, CVE-2024-27199)
  • CyberPanel (CVE-2024-51378, CVE-2024-51567)
  • Craft CMS (CVE-2024-56145)

These vulnerabilities are well-documented and have public patches available — yet many businesses still haven’t applied them.

Related: Top Cybersecurity Tips for Small Businesses in 2025


What Is PULSEPACK?

Earth Lamia deploys a stealthy backdoor known as PULSEPACK, a modular implant built in .NET. It can load custom plugins and communicate with its command-and-control server — originally over TCP, and now via WebSocket, showing a high level of sophistication.

DLL side-loading, a signature tactic of Chinese APTs, is used to slip this malware into systems undetected.


How You Can Protect Your Organization

If your infrastructure relies on SAP or SQL Server, here’s how to stay ahead of these threats:

1. Patch Everything

Regularly apply security patches and updates. Subscribe to vendor alerts from Microsoft, SAP, and CMS platforms you use.

2. Perform a Security Audit

Conduct regular vulnerability scans and penetration testing. Use tools like Nessus or OpenVAS to uncover weaknesses.

3. Monitor for Anomalies

Use EDR (Endpoint Detection & Response) and network monitoring tools to detect unusual activity — especially DLL injections or outbound WebSocket traffic.

4. Zero Trust Strategy

Limit user access, enforce MFA, and isolate sensitive resources with Zero Trust principles.


Final Thoughts

Cyberattacks are evolving — fast. With threat groups like Earth Lamia targeting widely used platforms like SAP and SQL Server, businesses can’t afford to ignore security hygiene. Start patching, auditing, and monitoring now to avoid becoming the next headline.

Leave A Comment

Your email address will not be published. Required fields are marked *