Full Report
2025-05-27 • Trend Micro • Joseph C Chen • win.cobalt_strike, win.juicy_potato, win.stowaway, win.vshell Open article on Malpedia
Analysis Summary
# Threat Actor: Earth Lamia
## Attribution & Identity
Attributed to a threat actor that develops a custom arsenal. No specific attribution or established aliases are detailed beyond "Earth Lamia" in the provided context.
## Activity Summary
The article summary indicates that Earth Lamia is actively developing and utilizing a custom arsenal tailored to target multiple industries. No specific historical campaigns or named operations are detailed in this extract.
## Tactics, Techniques & Procedures
The context lists several malware families associated with this actor, suggesting the following techniques:
- Use of Cobalt Strike (Implied C2/Post-exploitation)
- Usage of custom or known post-exploitation tools like Juicy Potato (Privilege Escalation)
- Usage of malware families: PulsePack, Stowaway, and Vshell.
## Targeting
- Sectors: Multiple Industries (Specific sectors are not detailed in the provided context).
- Geography: Not specified in the provided context.
- Victims: Not specified in the provided context.
## Tools & Infrastructure
- Malware families used: Cobalt Strike, Juicy Potato, PulsePack, Stowaway, Vshell.
- Infrastructure: No specific C2 infrastructure (domains, IPs) is mentioned in the context.
## Implications
Earth Lamia poses a significant threat due to its development of a **custom arsenal**, indicating a sophisticated, well-resourced adversary capable of adapting their toolset for persistent compromise across diverse sectors.
## Mitigations
Since the threat actor utilizes specific toolsets, mitigations should focus on detecting and blocking these known components:
- Implement strong detection rules for Cobalt Strike beacon activity.
- Monitor for the use of known local privilege escalation techniques such as Juicy Potato.
- Perform behavioral analysis against PulsePack, Stowaway, and Vshell payloads.