Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.
During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:
The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:
nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.
After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
he Czech Republic on Wednesday accused China of being responsible for a "malicious cyber campaign" targeting a network used for unclassified communication at its Foreign Affairs ministry, but China rejected the accusations.
China's embassy in Prague called on the Czech side to end its "microphone diplomacy".
The attacks started during the country's 2022 EU presidency and were perpetrated by the cyber espionage group APT31, the Czech government said in a statement. The Czech Republic, an EU state and NATO member, said APT31 was publicly associated with the Chinese Ministry of State Security.
Foreign Minister Jan Lipavsky said that after the attack was detected, the ministry implemented a new communications system with enhanced security in 2024.
"I summoned the Chinese ambassador to make clear that such hostile actions have serious consequences for our bilateral relations," he said.
Lipavsky said the attacks centered on email and other documents and focused on information concerning Asia.
"The Government of the Czech Republic strongly condemns this malicious cyber campaign against its critical infrastructure," the government said in its statement.
China's embassy in the Czech Republic expressed "strong concern and decisive disagreement" with the Czech accusations.
Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.
Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
Earth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially focused on financial services, the group shifted to logistics and online retail, most recently focusing on IT companies, universities, and government organizations.
Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One also provides hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Earth Lamia.
Introduction
We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657, STAC6451, and CL-STA-0048. Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia.
Earth Lamia is highly active, but our observation found that its targets have shifted over different time periods. They targeted many organizations but focused only on a few specific industries during each time period. In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage. In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations.
Map of targeted countries
Figure 1. Map of targeted countries
download
Earth Lamia continuously develops customized hacking tools and backdoors to improve their operations. While the actor highly leverages open-source hacking tools to conduct their attacks, they also customized these hacking tools to reduce the risk of being detected by security software. We also discovered they have developed a previously unseen backdoor, which we named PULSEPACK. The first version of PULSEPACK was identified in Earth Lamia's attacks during August 2024. In 2025, we found an upgraded version of PULSEPACK, which uses a different protocol for C&C communication, showing they are actively developing this backdoor. In this report, we will reveal the details of Earth Lamia’s operations and share the analysis of their customized hacking tools and backdoors.
Initial access and post-exploitation TTPs
We found that Earth Lamia frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities on the targets' websites. With an identified vulnerability, the actor tried to open a system shell through it to gain remote access to the victims' SQL servers. We suspect they are likely using tools like "sqlmap" to carry out these attacks against their targets. Besides the SQL injection attempts, our telemetry shows the actor also exploited the following vulnerabilities on different public-facing servers:
CVE-2017-9805: Apache Struts2 remote code execution vulnerability
CVE-2021-22205: GitLab remote code execution vulnerability
CVE-2024-9047: WordPress File Upload plugin arbitrary file access vulnerability
CVE-2024-27198: JetBrains TeamCity authentication bypass vulnerability
CVE-2024-27199: JetBrains TeamCity path traversal vulnerability
CVE-2024-51378: CyberPanel remote code execution vulnerability
CVE-2024-51567: CyberPanel remote code execution vulnerability
CVE-2024-56145: Craft CMS remote code execution vulnerability
organizations.
Victoria’s Secret hit by outages as it battles security incident
Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption.
Victoria’s Secret posted the brief statement on its website Wednesday. The company’s outages began earlier on Monday, as users have reported not being able to access the Victoria’s Secret website.
“We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution,” a spokesperson for Victoria’s Secret said in response to TechCrunch’s inquiries. The spokesperson did not provide their name nor describe the nature of the cybersecurity incident.
“We are working to quickly and securely restore operations,” the spokesperson said. The company said its stores remain open.
Victoria’s Secret closed down 7% on the news of the security incident.
